Summary:


NtCallbackReturn(>)  1 
NtOpenProcessTokenEx(>)  2 
NtQueryInformationFile(>)  7 
NtFlushInstructionCache(>)  43 

NtGdiCreateBitmap(>)  1 
NtOpenThreadTokenEx(>)  2 
NtUnmapViewOfSection(>)  7 
NtCreateEvent(>)  53 

NtGdiInit(>)  1 
NtQueryDefaultLocale(>)  2 
NtQueryInformationProcess(>)  8 
NtOpenKey(>)  104 

NtGdiQueryFontAssocInfo(>)  1 
NtQueryPerformanceCounter(>)  2 
NtQueryVirtualMemory(>)  9 
NtContinue(>)  105 

NtGdiSelectBitmap(>)  1 
NtQuerySystemTime(>)  2 
NtSetInformationFile(>)  9 
NtQuerySystemInformation(>)  114 

NtOpenKeyedEvent(>)  1 
NtReadFile(>)  2 
NtSetInformationThread(>)  9 
NtQueryInformationThread(>)  165 

NtOpenSymbolicLinkObject(>)  1 
NtSetInformationObject(>)  2 
NtUserFindExistingCursorIcon(>)  9 
NtResumeThread(>)  168 

NtQueryObject(>)  1 
NtFreeVirtualMemory(>)  3 
NtOpenThreadToken(>)  10 
NtCreateThread(>)  169 

NtQuerySymbolicLinkObject(>)  1 
NtGdiCreateCompatibleDC(>)  3 
NtQuerySection(>)  12 
NtClose(>)  175 

NtRaiseException(>)  1 
NtQueryVolumeInformationFile(>)  3 
NtUserRegisterClassExWOW(>)  14 
NtRequestWaitReplyPort(>)  203 

NtSetInformationProcess(>)  1 
NtSecureConnectPort(>)  3 
NtSetValueKey(>)  16 
NtRegisterThreadTerminatePort(>)  204 

NtUserCallNoParam(>)  1 
NtWriteFile(>)  3 
NtCreateKey(>)  18 
NtTestAlert(>)  204 

NtUserGetThreadDesktop(>)  1 
NtCreateIoCompletion(>)  4 
NtCreateSection(>)  19 
NtDuplicateObject(>)  209 

NtCreateMutant(>)  2 
NtGdiGetStockObject(>)  5 
NtOpenSection(>)  21 
NtQueryValueKey(>)  226 

NtGdiCreateSolidBrush(>)  2 
NtQueryInformationToken(>)  5 
NtOpenFile(>)  22 
NtProtectVirtualMemory(>)  268 

NtNotifyChangeKey(>)  2 
NtConnectPort(>)  6 
NtQueryAttributesFile(>)  32 
NtAllocateVirtualMemory(>)  422 

NtOpenDirectoryObject(>)  2 
NtCreateFile(>)  7 
NtMapViewOfSection(>)  33 
NtSetEventBoostPriority(>)  744 

NtOpenProcessToken(>)  2 
NtFsControlFile(>)  7 
NtDeviceIoControlFile(>)  36 
NtWaitForSingleObject(>)  1047 


Trace:
 00001  1956   NtOpenFile  (0x80100000, {24, 0, 0x240, 0, 0,  (0x80100000, {24, 0, 0x240, 0, 0, "\SystemRoot\Prefetch\PACKED.EXE-09ED06A1.pf"}, 0, 32, ... ) }, 0, 32, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00002  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00003  1956   NtOpenKeyedEvent  (0x2000000, {24, 0, 0x0, 0, 0,  (0x2000000, {24, 0, 0x0, 0, 0, "\KernelObjects\CritSecOutOfMemoryEvent"}, ... 4, ) }, ... 4, ) == 0x0
 00004  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00005  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 1310720, 1048576, ) == 0x0
 00006  1956   NtAllocateVirtualMemory  (-1, 1310720, 0, 4096, 4096, 4, ... 1310720, 4096, ) == 0x0
 00007  1956   NtAllocateVirtualMemory  (-1, 1314816, 0, 8192, 4096, 4, ... 1314816, 8192, ) == 0x0
 00008  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00009  1956   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 2359296, 65536, ) == 0x0
 00010  1956   NtAllocateVirtualMemory  (-1, 2359296, 0, 24576, 4096, 4, ... 2359296, 24576, ) == 0x0
 00011  1956   NtOpenDirectoryObject  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\KnownDlls"}, ... 8, ) }, ... 8, ) == 0x0
 00012  1956   NtOpenSymbolicLinkObject  (0x1, {24, 8, 0x40, 0, 0,  (0x1, {24, 8, 0x40, 0, 0, "KnownDllPath"}, ... 12, ) }, ... 12, ) == 0x0
 00013  1956   NtQuerySymbolicLinkObject  (12, ...  (12, ... "C:\WINDOWS\system32", 0x0, ) , 0x0, ) == 0x0
 00014  1956   NtClose  (12, ... ) == 0x0
 00015  1956   NtOpenFile  (0x100020, {24, 0, 0x42, 0, 0,  (0x100020, {24, 0, 0x42, 0, 0, "\??\C:\scripts\"}, 3, 33, ... 12, {status=0x0, info=1}, ) }, 3, 33, ... 12, {status=0x0, info=1}, ) == 0x0
 00016  1956   NtQueryVolumeInformationFile  (12, 1243852, 8, Device, ... {status=0x0, info=8}, ) == 0x0
 00017  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\packed.exe.Local"}, 1243804, ... ) }, 1243804, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00018  1956   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "kernel32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00019  1956   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7c800000), 0x0, 1003520, ) == 0x0
 00020  1956   NtClose  (16, ... ) == 0x0
 00021  1956   NtProtectVirtualMemory  (-1, (0x7c801000), 1568, 4, ... (0x7c801000), 4096, 32, ) == 0x0
 00022  1956   NtProtectVirtualMemory  (-1, (0x7c801000), 4096, 32, ... (0x7c801000), 4096, 4, ) == 0x0
 00023  1956   NtFlushInstructionCache  (-1, 2088767488, 1568, ... ) == 0x0
 00024  1956   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00025  1956   NtQuerySystemInformation  (RangeStart, 4, ... {system info, class 50, size 4}, 0x0, ) == 0x0
 00026  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00027  1956   NtCreateSection  (0xf001f, 0x0, {65536, 0}, 4, 67108864, 0, ... 16, ) == 0x0
 00028  1956   NtSecureConnectPort  ( ("\Windows\ApiPort", {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) , {0, 2, 1, 1}, {24, 16, 0, 65536, 0, 0}, 1319736, {12, 0, 0}, 1241944, 44, ... 24, {24, 16, 0, 65536, 2424832, 18415616}, {0, 0, 0}, 200, 44, ) == 0x0
 00029  1956   NtClose  (16, ... ) == 0x0
 00030  1956   NtQueryObject  (24, Handle, 2, ... {Inherit=0,ProtectFromClose=0,}, -1, ) == 0x0
 00031  1956   NtSetInformationObject  (24, Handle, {Inherit=0,ProtectFromClose=1,}, 256, ... ) == 0x0
 00032  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00033  1956   NtQueryVirtualMemory  (-1, 0x250000, Basic, 28, ... {BaseAddress=0x250000,AllocationBase=0x250000,AllocationProtect=0x4,RegionSize=0x10000,State=0x2000,Protect=0x0,Type=0x40000,}, 0x0, ) == 0x0
 00034  1956   NtAllocateVirtualMemory  (-1, 2424832, 0, 4096, 4096, 4, ... 2424832, 4096, ) == 0x0
 00035  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1292, 1956, 57963, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57963, 0}  (24, {28, 56, new_msg, 0, 1242260, 1242460, 2089900544, 1242184} "\210\6\31\1\0\0\0\0eZ\221|\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" ... {28, 56, reply, 0, 1292, 1956, 57963, 0} "`\375\27\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\234\6\31\1\4\0\0\0" )  ) == 0x0
 00036  1956   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00037  1956   NtAllocateVirtualMemory  (-1, 1232896, 0, 4096, 4096, 260, ... 1232896, 4096, ) == 0x0
 00038  1956   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00039  1956   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00040  1956   NtClose  (16, ... ) == 0x0
 00041  1956   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionUnicode"}, ... 16, ) }, ... 16, ) == 0x0
 00042  1956   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x260000), 0x0, 90112, ) == 0x0
 00043  1956   NtClose  (16, ... ) == 0x0
 00044  1956   NtQueryDefaultLocale  (0, 2089305000, ... ) == 0x0
 00045  1956   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionLocale"}, ... 16, ) }, ... 16, ) == 0x0
 00046  1956   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x280000), 0x0, 249856, ) == 0x0
 00047  1956   NtClose  (16, ... ) == 0x0
 00048  1956   NtOpenSection  (0x5, {24, 0, 0x40, 0, 0,  (0x5, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey"}, ... 16, ) }, ... 16, ) == 0x0
 00049  1956   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x2c0000), 0x0, 266240, ) == 0x0
 00050  1956   NtQuerySection  (16, Basic, 16, ... {BaseAddress=0x0,Attributes=0x800000,Size={0x40004, 0x0},}, 0x0, ) == 0x0
 00051  1956   NtClose  (16, ... ) == 0x0
 00052  1956   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortTbls"}, ... 16, ) }, ... 16, ) == 0x0
 00053  1956   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x310000), 0x0, 24576, ) == 0x0
 00054  1956   NtClose  (16, ... ) == 0x0
 00055  1956   NtQueryVirtualMemory  (-1, 0x7ffd2000, Basic, 28, ... {BaseAddress=0x7ffd2000,AllocationBase=0x7ffb0000,AllocationProtect=0x2,RegionSize=0x2000,State=0x1000,Protect=0x2,Type=0x40000,}, 0x0, ) == 0x0
 00056  1956   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00057  1956   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionSortkey00000409"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00058  1956   NtAllocateVirtualMemory  (-1, 2428928, 0, 8192, 4096, 4, ... 2428928, 8192, ) == 0x0
 00059  1956   NtRequestWaitReplyPort  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1292, 1956, 57964, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ... {24, 52, reply, 0, 1292, 1956, 57964, 0}  (24, {24, 52, new_msg, 0, 7012468, 7929957, 3145776, 3145776} "\210\6\31\1\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" ... {24, 52, reply, 0, 1292, 1956, 57964, 0} "\10P\30\0\36\0\1\0\0\0\0\0\377\377\377\377\234\6\31\1p\30\0\0" )  ) == 0x0
 00060  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57965, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57965, 0}  (24, {28, 56, new_msg, 0, 2089305760, 2090321376, 0, 0} "\210\6\31\1\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57965, 0} "\250\202\26\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\234\6\31\18\6\0\0" )  ) == 0x0
 00061  1956   NtProtectVirtualMemory  (-1, (0x409000), 65552, 4, ... (0x409000), 69632, 128, ) == 0x0
 00062  1956   NtProtectVirtualMemory  (-1, (0x409000), 69632, 128, ... (0x409000), 69632, 4, ) == 0x0
 00063  1956   NtFlushInstructionCache  (-1, 4231168, 65552, ... ) == 0x0
 00064  1956   NtQueryInformationProcess  (-1, 37, 48, ... {process info, class 37, size 48}, 0x0, ) == 0x0
 00065  1956   NtSetInformationProcess  (-1, 34, {process info, class 34, size 4}, 4, ... ) == 0x0
 00066  1956   NtOpenProcessToken  (-1, 0x8, ... 16, ) == 0x0
 00067  1956   NtQueryInformationToken  (16, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00068  1956   NtClose  (16, ... ) == 0x0
 00069  1956   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 16, ) }, ... 16, ) == 0x0
 00070  1956   NtQueryValueKey  (16,  (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (16, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00071  1956   NtClose  (16, ... ) == 0x0
 00072  1956   NtTestAlert  (... ) == 0x0
 00073  1956   NtContinue  (1244464, 1, ...
 00074  1956   NtSetInformationThread  (-2, Win32StartAddress(LpcReceivedMessageId), {StartAddress(LpcReceivedMsgId)=0x40283e,}, 4, ... ) == 0x0
 00075  1956   NtQueryVirtualMemory  (-1, 0x40980f, Basic, 28, ... {BaseAddress=0x409000,AllocationBase=0x400000,AllocationProtect=0x80,RegionSize=0x1000,State=0x1000,Protect=0x40,Type=0x1000000,}, 28, ) == 0x0
 00076  1956   NtContinue  (1244400, 0, ...
 00077  1956   NtAllocateVirtualMemory  (-1, 0, 0, 2395, 4096, 64, ... 3276800, 4096, ) == 0x0
 00078  1956   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 16, ) }, ... 16, ) == 0x0
 00079  1956   NtQueryValueKey  (16,  (16, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00080  1956   NtClose  (16, ... ) == 0x0
 00081  1956   NtAllocateVirtualMemory  (-1, 1323008, 0, 4096, 4096, 4, ... 1323008, 4096, ) == 0x0
 00082  1956   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "user32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00083  1956   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x7e410000), 0x0, 589824, ) == 0x0
 00084  1956   NtClose  (16, ... ) == 0x0
 00085  1956   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "GDI32.dll"}, ... 16, ) }, ... 16, ) == 0x0
 00086  1956   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77f10000), 0x0, 290816, ) == 0x0
 00087  1956   NtClose  (16, ... ) == 0x0
 00088  1956   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00089  1956   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00090  1956   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00091  1956   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00092  1956   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00093  1956   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00094  1956   NtProtectVirtualMemory  (-1, (0x77f11000), 508, 4, ... (0x77f11000), 4096, 32, ) == 0x0
 00095  1956   NtProtectVirtualMemory  (-1, (0x77f11000), 4096, 32, ... (0x77f11000), 4096, 4, ) == 0x0
 00096  1956   NtFlushInstructionCache  (-1, 2012286976, 508, ... ) == 0x0
 00097  1956   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00098  1956   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00099  1956   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00100  1956   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00101  1956   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00102  1956   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00103  1956   NtProtectVirtualMemory  (-1, (0x7e411000), 1252, 4, ... (0x7e411000), 4096, 32, ) == 0x0
 00104  1956   NtProtectVirtualMemory  (-1, (0x7e411000), 4096, 32, ... (0x7e411000), 4096, 4, ) == 0x0
 00105  1956   NtFlushInstructionCache  (-1, 2118193152, 1252, ... ) == 0x0
 00106  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00107  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\user32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00108  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00109  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 57966, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57966, 0}  (24, {28, 56, new_msg, 0, 2089900645, 0, 2090320576, 1241608} "\210\6\31\1\0\0\0\0\344\0\23\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 57966, 0} "\320G\26\0\0\0\0\0\0\0\0\0\4\0\0\0\3\0\0\0\234\6\31\1$\1\0\0" )  ) == 0x0
 00110  1956   NtFsControlFile  (12, 0, 0x0, 0x0, 0x90028, 0x0, 0, 0, ... {status=0x0, info=0}, 0x0, ) == 0x0
 00111  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239000, ... ) }, 1239000, ... ) == 0x0
 00112  1956   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00113  1956   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 16, ... 28, ) == 0x0
 00114  1956   NtClose  (16, ... ) == 0x0
 00115  1956   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00116  1956   NtClose  (28, ... ) == 0x0
 00117  1956   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00118  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1238908, ... ) }, 1238908, ... ) == 0x0
 00119  1956   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0
 00120  1956   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 28, ... 16, ) == 0x0
 00121  1956   NtClose  (28, ... ) == 0x0
 00122  1956   NtMapViewOfSection  (16, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x420000), 0x0, 110592, ) == 0x0
 00123  1956   NtClose  (16, ... ) == 0x0
 00124  1956   NtUnmapViewOfSection  (-1, 0x420000, ... ) == 0x0
 00125  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239216, ... ) }, 1239216, ... ) == 0x0
 00126  1956   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0
 00127  1956   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0
 00128  1956   NtQuerySection  (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00129  1956   NtOpenProcessToken  (-1, 0x8, ... 32, ) == 0x0
 00130  1956   NtQueryInformationToken  (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0
 00131  1956   NtOpenKey  (0x3, {24, 0, 0x40, 0, 0,  (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00132  1956   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0
 00133  1956   NtQueryValueKey  (36,  (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00134  1956   NtClose  (36, ... ) == 0x0
 00135  1956   NtOpenThreadTokenEx  (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN
 00136  1956   NtOpenProcessTokenEx  (-1, 0x20008, 512, ... 36, ) == 0x0
 00137  1956   NtQueryInformationToken  (36, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0
 00138  1956   NtClose  (36, ... ) == 0x0
 00139  1956   NtOpenKey  (0x1, {24, 0, 0x40, 0, 0,  (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00140  1956   NtClose  (32, ... ) == 0x0
 00141  1956   NtClose  (16, ... ) == 0x0
 00142  1956   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x76390000), 0x0, 118784, ) == 0x0
 00143  1956   NtClose  (28, ... ) == 0x0
 00144  1956   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00145  1956   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00146  1956   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00147  1956   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00148  1956   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00149  1956   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00150  1956   NtProtectVirtualMemory  (-1, (0x76391000), 696, 4, ... (0x76391000), 4096, 32, ) == 0x0
 00151  1956   NtProtectVirtualMemory  (-1, (0x76391000), 4096, 32, ... (0x76391000), 4096, 4, ) == 0x0
 00152  1956   NtFlushInstructionCache  (-1, 1983451136, 696, ... ) == 0x0
 00153  1956   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00154  1956   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0
 00155  1956   NtClose  (28, ... ) == 0x0
 00156  1956   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00157  1956   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00158  1956   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00159  1956   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 28, ) }, ... 28, ) == 0x0
 00160  1956   NtMapViewOfSection  (28, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0
 00161  1956   NtClose  (28, ... ) == 0x0
 00162  1956   NtAllocateVirtualMemory  (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0
 00163  1956   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00164  1956   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00165  1956   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00166  1956   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00167  1956   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00168  1956   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00169  1956   NtProtectVirtualMemory  (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0
 00170  1956   NtProtectVirtualMemory  (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0
 00171  1956   NtFlushInstructionCache  (-1, 2011631616, 868, ... ) == 0x0
 00172  1956   NtProtectVirtualMemory  (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0
 00173  1956   NtProtectVirtualMemory  (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0
 00174  1956   NtFlushInstructionCache  (-1, 2010976256, 1700, ... ) == 0x0
 00175  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00176  1956   NtAllocateVirtualMemory  (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0
 00177  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00178  1956   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 28, ) }, ... 28, ) == 0x0
 00179  1956   NtQueryValueKey  (28,  (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00180  1956   NtQueryValueKey  (28,  (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (28, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00181  1956   NtClose  (28, ... ) == 0x0
 00182  1956   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 28, ) }, ... 28, ) == 0x0
 00183  1956   NtQueryValueKey  (28,  (28, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00184  1956   NtClose  (28, ... ) == 0x0
 00185  1956   NtOpenKey  (0x2000000, {24, 0, 0x40, 0, 0,  (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 28, ) }, ... 28, ) == 0x0
 00186  1956   NtSetInformationObject  (28, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0
 00187  1956   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00188  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00189  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00190  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1236132, ... ) }, 1236132, ... ) == 0x0
 00191  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00192  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00193  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\IMM32.DLL"}, 1239536, ... ) }, 1239536, ... ) == 0x0
 00194  1956   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Error Message Instrument\"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00195  1956   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize"}, ... 16, ) }, ... 16, ) == 0x0
 00196  1956   NtQueryValueKey  (16,  (16, "DisableMetaFiles", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00197  1956   NtClose  (16, ... ) == 0x0
 00198  1956   NtMapViewOfSection  (-2147482584, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x420000), 0x0, 1060864, ) == 0x0
 00199  1956   NtClose  (-2147482584, ... ) == 0x0
 00200  1956   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ... 16, ) == 0x0
 00201  1956   NtOpenThreadTokenEx  (-2, 0x8, 1, 512, ... ) == STATUS_NO_TOKEN
 00202  1956   NtOpenProcessTokenEx  (-1, 0x8, 512, ... -2147482584, ) == 0x0
 00203  1956   NtQueryInformationToken  (-2147482584, Statistics, 0, ... ) == STATUS_BUFFER_TOO_SMALL
 00204  1956   NtQueryInformationToken  (-2147482584, Statistics, 56, ... {token info, class 10, size 56}, 56, ) == 0x0
 00205  1956   NtClose  (-2147482584, ... ) == 0x0
 00206  1956   NtAllocateVirtualMemory  (-1, 0, 0, 32, 4096, 4, ... 5439488, 4096, ) == 0x0
 00207  1956   NtFreeVirtualMemory  (-1, (0x530000), 4096, 32768, ... (0x530000), 4096, ) == 0x0
 00208  1956   NtDuplicateObject  (-1, 32, -1, 0x0, 0, 2, ... 40, ) == 0x0
 00209  1956   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00210  1956   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00211  1956   NtClose  (-2147482584, ... ) == 0x0
 00212  1956   NtOpenKey  (0x20019, {24, 0, 0x240, 0, 0,  (0x20019, {24, 0, 0x240, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility"}, ... -2147482584, ) }, ... -2147482584, ) == 0x0
 00213  1956   NtQueryValueKey  (-2147482584,  (-2147482584, "packed", Partial, 172, ... ) , Partial, 172, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00214  1956   NtClose  (-2147482584, ... ) == 0x0
 00215  1956   NtQueryDefaultLocale  (0, -139609780, ... ) == 0x0
 00216  1956   NtGdiQueryFontAssocInfo  (0, ... ) == 0x0
 00217  1956   NtUserCallNoParam  (24, ... ) == 0x0
 00218  1956   NtGdiCreateCompatibleDC  (0, ...
 00219  1956   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 5439488, 4096, ) == 0x0
 00218  1956   NtGdiCreateCompatibleDC  ... ) == 0xee0105b0
 00220  1956   NtGdiGetStockObject  (0, ... ) == 0x1900010
 00221  1956   NtGdiGetStockObject  (4, ... ) == 0x1900011
 00222  1956   NtGdiCreateBitmap  (8, 8, 1, 1, 2118200212, ... ) == 0x76050581
 00223  1956   NtGdiCreateSolidBrush  (0, 0, ...
 00224  1956   NtAllocateVirtualMemory  (-1, 0, 0, 4096, 12288, 4, ... 8650752, 4096, ) == 0x0
 00223  1956   NtGdiCreateSolidBrush  ... ) == 0xa51003d2
 00225  1956   NtGdiGetStockObject  (13, ... ) == 0x18a0021
 00226  1956   NtGdiCreateCompatibleDC  (0, ... ) == 0x5201039b
 00227  1956   NtGdiSelectBitmap  (1375798171, 1980040577, ... ) == 0x185000f
 00228  1956   NtUserGetThreadDesktop  (1956, 0, ... ) == 0x24
 00229  1956   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows"}, ... 44, ) }, ... 44, ) == 0x0
 00230  1956   NtQueryValueKey  (44,  (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) , Partial, 64, ... TitleIdx=0, Type=1, Data= (44, "AppInit_DLLs", Partial, 64, ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 00231  1956   NtClose  (44, ... ) == 0x0
 00232  1956   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00233  1956   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 673, 128, 0, ... ) == 0x8169c017
 00234  1956   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00235  1956   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 674, 128, 0, ... ) == 0x8169c01c
 00236  1956   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00237  1956   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 675, 128, 0, ... ) == 0x8169c01e
 00238  1956   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00239  1956   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 676, 128, 0, ... ) == 0x81698002
 00240  1956   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10013
 00241  1956   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 677, 128, 0, ... ) == 0x8169c018
 00242  1956   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00243  1956   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 678, 128, 0, ... ) == 0x8169c01a
 00244  1956   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00245  1956   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 679, 128, 0, ... ) == 0x8169c01d
 00246  1956   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00247  1956   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 681, 128, 0, ... ) == 0x8169c026
 00248  1956   NtUserFindExistingCursorIcon  (1240712, 1240728, 1240776, ... ) == 0x10011
 00249  1956   NtUserRegisterClassExWOW  (1240724, 1240792, 1240808, 1240824, 680, 128, 0, ... ) == 0x8169c019
 00250  1956   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8169c020
 00251  1956   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8169c022
 00252  1956   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8169c023
 00253  1956   NtUserRegisterClassExWOW  (1240932, 1241028, 1241012, 1241000, 0, 130, 0, ... ) == 0x8169c024
 00254  1956   NtUserRegisterClassExWOW  (1240676, 1240744, 1240760, 1240776, 0, 128, 0, ... ) == 0x8169c025
 00255  1956   NtCallbackReturn  (0, 0, 0, ...
 00256  1956   NtGdiInit  (... ) == 0x1
 00257  1956   NtGdiGetStockObject  (18, ... ) == 0x290001c
 00258  1956   NtGdiGetStockObject  (19, ... ) == 0x1b00019
 00259  1956   NtAllocateVirtualMemory  (-1, 0, 0, 26112, 4096, 64, ... 8716288, 28672, ) == 0x0
 00260  1956   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00261  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00262  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 1242908, ... ) }, 1242908, ... ) == 0x0
 00263  1956   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2_32.dll"}, 5, 96, ... 44, {status=0x0, info=1}, ) }, 5, 96, ... 44, {status=0x0, info=1}, ) == 0x0
 00264  1956   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 44, ... 48, ) == 0x0
 00265  1956   NtQuerySection  (48, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00266  1956   NtClose  (44, ... ) == 0x0
 00267  1956   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71ab0000), 0x0, 94208, ) == 0x0
 00268  1956   NtClose  (48, ... ) == 0x0
 00269  1956   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "msvcrt.dll"}, ... 48, ) }, ... 48, ) == 0x0
 00270  1956   NtMapViewOfSection  (48, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77c10000), 0x0, 360448, ) == 0x0
 00271  1956   NtClose  (48, ... ) == 0x0
 00272  1956   NtProtectVirtualMemory  (-1, (0x77c11000), 632, 4, ... (0x77c11000), 4096, 32, ) == 0x0
 00273  1956   NtProtectVirtualMemory  (-1, (0x77c11000), 4096, 32, ... (0x77c11000), 4096, 4, ) == 0x0
 00274  1956   NtFlushInstructionCache  (-1, 2009141248, 632, ... ) == 0x0
 00275  1956   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00276  1956   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00277  1956   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00278  1956   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00279  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00280  1956   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 1242092, ... ) }, 1242092, ... ) == 0x0
 00281  1956   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\WS2HELP.dll"}, 5, 96, ... 48, {status=0x0, info=1}, ) }, 5, 96, ... 48, {status=0x0, info=1}, ) == 0x0
 00282  1956   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 48, ... 44, ) == 0x0
 00283  1956   NtQuerySection  (44, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00284  1956   NtClose  (48, ... ) == 0x0
 00285  1956   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71aa0000), 0x0, 32768, ) == 0x0
 00286  1956   NtClose  (44, ... ) == 0x0
 00287  1956   NtProtectVirtualMemory  (-1, (0x71aa1000), 352, 4, ... (0x71aa1000), 4096, 32, ) == 0x0
 00288  1956   NtProtectVirtualMemory  (-1, (0x71aa1000), 4096, 32, ... (0x71aa1000), 4096, 4, ) == 0x0
 00289  1956   NtFlushInstructionCache  (-1, 1906970624, 352, ... ) == 0x0
 00290  1956   NtProtectVirtualMemory  (-1, (0x71ab1000), 468, 4, ... (0x71ab1000), 4096, 32, ) == 0x0
 00291  1956   NtProtectVirtualMemory  (-1, (0x71ab1000), 4096, 32, ... (0x71ab1000), 4096, 4, ) == 0x0
 00292  1956   NtFlushInstructionCache  (-1, 1907036160, 468, ... ) == 0x0
 00293  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00294  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00295  1956   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 8781824, 65536, ) == 0x0
 00296  1956   NtAllocateVirtualMemory  (-1, 8781824, 0, 4096, 4096, 4, ... 8781824, 4096, ) == 0x0
 00297  1956   NtAllocateVirtualMemory  (-1, 8785920, 0, 8192, 4096, 4, ... 8785920, 8192, ) == 0x0
 00298  1956   NtAllocateVirtualMemory  (-1, 8794112, 0, 4096, 4096, 4, ... 8794112, 4096, ) == 0x0
 00299  1956   NtOpenSection  (0x4, {24, 0, 0x40, 0, 0,  (0x4, {24, 0, 0x40, 0, 0, "\NLS\NlsSectionCType"}, ... 44, ) }, ... 44, ) == 0x0
 00300  1956   NtMapViewOfSection  (44, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x870000), 0x0, 12288, ) == 0x0
 00301  1956   NtClose  (44, ... ) == 0x0
 00302  1956   NtAllocateVirtualMemory  (-1, 8798208, 0, 4096, 4096, 4, ... 8798208, 4096, ) == 0x0
 00303  1956   NtQueryVirtualMemory  (-1, 0x77c2807c, Basic, 28, ... {BaseAddress=0x77c28000,AllocationBase=0x77c10000,AllocationProtect=0x80,RegionSize=0x35000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 00304  1956   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00305  1956   NtQueryInformationProcess  (-1, 36, 4, ... {process info, class 36, size 4}, 0x0, ) == 0x0
 00306  1956   NtQueryVirtualMemory  (-1, 0x0, Basic, 28, ... {BaseAddress=0x0,AllocationBase=0x0,AllocationProtect=0x0,RegionSize=0x10000,State=0x10000,Protect=0x1,Type=0x0,}, 28, ) == 0x0
 00307  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00308  1956   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00309  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00310  1956   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00311  1956   NtFreeVirtualMemory  (-1, (0x850000), 0, 32768, ... (0x850000), 28672, ) == 0x0
 00312  1956   NtFreeVirtualMemory  (-1, (0x320144), 0, 32768, ... (0x320000), 4096, ) == 0x0
 00313  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00314  1956   NtAllocateVirtualMemory  (-1, 0, 0, 65536, 8192, 4, ... 3276800, 65536, ) == 0x0
 00315  1956   NtAllocateVirtualMemory  (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0
 00316  1956   NtAllocateVirtualMemory  (-1, 3280896, 0, 20480, 4096, 4, ... 3280896, 20480, ) == 0x0
 00317  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 8912896, 1048576, ) == 0x0
 00318  1956   NtAllocateVirtualMemory  (-1, 8912896, 0, 32768, 4096, 4, ... 8912896, 32768, ) == 0x0
 00319  1956   NtOpenDirectoryObject  (0x2000f, {24, 0, 0x40, 0, 0,  (0x2000f, {24, 0, 0x40, 0, 0, "\BaseNamedObjects"}, ... 44, ) }, ... 44, ) == 0x0
 00320  1956   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "Jobaka3"}, 0, ... 48, ) }, 0, ... 48, ) == 0x0
 00321  1956   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\WinSock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00322  1956   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00323  1956   NtQueryValueKey  (52,  (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (52, "WinSock_Registry_Version", Partial, 144, ... TitleIdx=0, Type=1, Data="2\0.\00\0\0\0"}, 20, ) }, 20, ) == 0x0
 00324  1956   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 56, ) == 0x0
 00325  1956   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "Protocol_Catalog9"}, ... 60, ) }, ... 60, ) == 0x0
 00326  1956   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00327  1956   NtNotifyChangeKey  (60, 56, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00328  1956   NtQueryValueKey  (60,  (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\15\0\0\0"}, 16, ) }, 16, ) == 0x0
 00329  1956   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "0000000D"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00330  1956   NtQueryValueKey  (60,  (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Next_Catalog_Entry_ID", Partial, 144, ... TitleIdx=0, Type=4, Data="#\4\0\0"}, 16, ) }, 16, ) == 0x0
 00331  1956   NtQueryValueKey  (60,  (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (60, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\26\0\0\0"}, 16, ) }, 16, ) == 0x0
 00332  1956   NtOpenKey  (0x2000000, {24, 60, 0x40, 0, 0,  (0x2000000, {24, 60, 0x40, 0, 0, "Catalog_Entries"}, ... 64, ) }, ... 64, ) == 0x0
 00333  1956   NtAllocateVirtualMemory  (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0
 00334  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000001"}, ... 68, ) }, ... 68, ) == 0x0
 00335  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00336  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00337  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\351\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0T\0C\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0R\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0R\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0S\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\02\0S\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0T\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0T\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0U\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00338  1956   NtClose  (68, ... ) == 0x0
 00339  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000002"}, ... 68, ) }, ... 68, ) == 0x0
 00340  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00341  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00342  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\352\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0U\0D\0P\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0W\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0W\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0X\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\03\0X\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0Y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0Y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0Z\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00343  1956   NtClose  (68, ... ) == 0x0
 00344  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000003"}, ... 68, ) }, ... 68, ) == 0x0
 00345  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00346  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00347  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\6\2\0\0\0\0\0\0\0\0\0\0\0\0\0\14\0\0\0\240\32\17\347\213\253\317\21\214\243\0\200_H\241\222\353\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\3\0\0\0\0\0\0\0\377\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0T\0c\0p\0i\0p\0 \0[\0R\0A\0W\0/\0I\0P\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0\\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0]\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\04\0]\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0^\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0^\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0_\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00348  1956   NtClose  (68, ... ) == 0x0
 00349  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000004"}, ... 68, ) }, ... 68, ) == 0x0
 00350  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00351  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00352  1956   NtAllocateVirtualMemory  (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0
 00353  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11&\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\354\3\0\0\1\0\0\0\204\370\272\2|\370\272\2\210\371\272\2\4\244`u\\12\0\0\240<_u\260\371\272\2\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\2\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\273\377\0\0\0\0\0\0R\0S\0V\0P\0 \0U\0D\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\1\0\0\0\344\373\272\2\1\0\0\0\330\273\356\0\0\0\0\0=\373\220|\200\371\272\2\0\0\0\0\0\371\272\2l\373\220|q\373\220|\0\0\0\0\200\371\272\2=\373\220|\334\370\272\2\0\0\0\0\204\3\0\0b\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0b\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0c\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\05\0c\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0d\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0d\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0e\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00354  1956   NtClose  (68, ... ) == 0x0
 00355  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000005"}, ... 68, ) }, ... 68, ) == 0x0
 00356  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00357  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00358  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\rsvpsp.dll\0\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5f \2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\340\251`\235z3\320\21\275\210\0\0\300\202\346\232\355\3\0\0\1\0\0\0\210\1\34\0\0\0\34\0\10\0\0\0\0\0\0\0\214\373\272\2\\15\221|\0\0\34\0\6\0\0\0\2\0\0\0\20\0\0\0\20\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0R\0S\0V\0P\0 \0T\0C\0P\0 \0S\0e\0r\0v\0i\0c\0e\0 \0P\0r\0o\0v\0i\0d\0e\0r\0\0\0\210\1\34\0\0\0\0\0\20\0\0\0P\373\272\2\270Ddu\0\0\0\0(\275\356\0|\373\272\2\364\373\272\2\0\0\34\0\10\0\0\0\0\0\0\0(\374\272\2\\15\221|\0\0\34\0\0\0\0\0\204\3\0\0g\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0g\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0h\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\06\0h\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0i\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0i\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0j\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00359  1956   NtClose  (68, ... ) == 0x0
 00360  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000006"}, ... 68, ) }, ... 68, ) == 0x0
 00361  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00362  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00363  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5&\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0d\200\304\237\230r\344C\267\275\30\37 \211y*\374\3\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0 \0\0\0\36\0\0\0\36\0\0\0\1\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0R\0f\0C\0o\0m\0m\0 \0[\0B\0l\0u\0e\0t\0o\0o\0t\0h\0]\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\204\3\0\0l\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0l\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0m\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\07\0m\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0n\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0n\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0o\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00364  1956   NtClose  (68, ... ) == 0x0
 00365  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000007"}, ... 68, ) }, ... 68, ) == 0x0
 00366  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00367  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00368  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\23\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0q\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0q\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0r\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\08\0r\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0s\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0s\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0t\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00369  1956   NtClose  (68, ... ) == 0x0
 00370  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000008"}, ... 68, ) }, ... 68, ) == 0x0
 00371  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00372  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00373  1956   NtAllocateVirtualMemory  (-1, 1339392, 0, 4096, 4096, 4, ... 1339392, 4096, ) == 0x0
 00374  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\24\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\373\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0F\0C\0C\00\03\0A\04\01\0-\08\0C\0C\0C\0-\04\09\01\09\0-\0A\0\0\0\0\0\204\3\0\0w\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0w\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0x\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\00\09\0x\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0y\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0z\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00375  1956   NtClose  (68, ... ) == 0x0
 00376  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000009"}, ... 68, ) }, ... 68, ) == 0x0
 00377  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00378  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00379  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\25\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0|\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0|\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0}\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\00\0}\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0~\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0~\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\177\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00380  1956   NtClose  (68, ... ) == 0x0
 00381  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000010"}, ... 68, ) }, ... 68, ) == 0x0
 00382  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00383  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00384  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\26\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\374\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0A\0E\07\04\02\01\0B\05\0-\07\03\02\0D\0-\04\05\06\07\0-\0A\0\0\0\0\0\204\3\0\0\201\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\201\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\202\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\01\0\202\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\203\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\203\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\204\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00385  1956   NtClose  (68, ... ) == 0x0
 00386  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000011"}, ... 68, ) }, ... 68, ) == 0x0
 00387  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00388  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00389  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\27\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\206\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\206\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\207\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\02\0\207\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\210\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\210\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\211\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00390  1956   NtClose  (68, ... ) == 0x0
 00391  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000012"}, ... 68, ) }, ... 68, ) == 0x0
 00392  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00393  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00394  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\30\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\375\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\09\07\0C\02\0D\09\0F\04\0-\06\09\05\04\0-\04\0E\0B\03\0-\08\0\0\0\0\0\204\3\0\0\213\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\213\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\214\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\03\0\214\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\215\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\215\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\216\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00395  1956   NtClose  (68, ... ) == 0x0
 00396  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000013"}, ... 68, ) }, ... 68, ) == 0x0
 00397  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00398  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00399  1956   NtAllocateVirtualMemory  (-1, 1343488, 0, 4096, 4096, 4, ... 1343488, 4096, ) == 0x0
 00400  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\31\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\221\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\221\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\222\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\04\0\222\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\223\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\223\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\224\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00401  1956   NtClose  (68, ... ) == 0x0
 00402  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000014"}, ... 68, ) }, ... 68, ) == 0x0
 00403  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00404  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00405  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\32\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\0\0\0\200\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\00\0D\04\03\00\0A\06\0F\0-\00\04\01\00\0-\04\0A\06\08\0-\09\0\0\0\0\0\204\3\0\0\226\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\226\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\227\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\05\0\227\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\230\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\230\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\231\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00406  1956   NtClose  (68, ... ) == 0x0
 00407  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000015"}, ... 68, ) }, ... 68, ) == 0x0
 00408  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00409  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00410  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\33\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\233\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\233\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\234\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\06\0\234\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\235\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\235\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\236\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00411  1956   NtClose  (68, ... ) == 0x0
 00412  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000016"}, ... 68, ) }, ... 68, ) == 0x0
 00413  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00414  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00415  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\34\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\08\0A\0D\04\0D\08\00\06\0-\00\08\01\0B\0-\04\04\04\06\0-\0A\0\0\0\0\0\204\3\0\0\240\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\240\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\241\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\07\0\241\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\242\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\242\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\243\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00416  1956   NtClose  (68, ... ) == 0x0
 00417  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000017"}, ... 68, ) }, ... 68, ) == 0x0
 00418  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00419  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00420  1956   NtAllocateVirtualMemory  (-1, 1347584, 0, 4096, 4096, 4, ... 1347584, 4096, ) == 0x0
 00421  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\35\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\246\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\246\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\247\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\08\0\247\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\250\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\250\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\251\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00422  1956   NtClose  (68, ... ) == 0x0
 00423  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000018"}, ... 68, ) }, ... 68, ) == 0x0
 00424  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00425  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00426  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\36\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\376\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0E\05\05\09\0B\00\0C\01\0-\0F\0A\04\06\0-\04\06\04\0D\0-\0B\0\0\0\0\0\204\3\0\0\253\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\253\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\254\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\01\09\0\254\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\255\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\255\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\256\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00427  1956   NtClose  (68, ... ) == 0x0
 00428  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000019"}, ... 68, ) }, ... 68, ) == 0x0
 00429  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00430  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00431  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222\37\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\260\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\260\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\261\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\00\0\261\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\262\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\262\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\263\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00432  1956   NtClose  (68, ... ) == 0x0
 00433  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000020"}, ... 68, ) }, ... 68, ) == 0x0
 00434  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00435  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00436  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222 \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\372\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\0C\0D\03\0C\06\04\0B\08\0-\0D\0B\07\06\0-\04\04\0C\08\0-\09\0\0\0\0\0\204\3\0\0\265\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\265\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\266\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\01\0\266\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\267\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\267\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\270\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00437  1956   NtClose  (68, ... ) == 0x0
 00438  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000021"}, ... 68, ) }, ... 68, ) == 0x0
 00439  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00440  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00441  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) \0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0 (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\16\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222!\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\5\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\272\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\272\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\273\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0H\0\0\0\31\0\2\0\0\0\0\0\30\0\0\0@\0\0\0`\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\30\0\32\0\370L\24\0\0\0\0\00\00\00\00\00\00\00\00\00\00\02\02\0\273\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0D\0\0\0\274\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0t\0e\0m\0\24\0\2\0\0\0\220\0\0\0\274\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\1\0\1\0\5\0\0\200\0\0\0\0\275\1\0\0\14\5\0\0\244\7\0\0\200\0\0\0\0\0\1\0\0\0\0\0@\0\0\0D\0\0\0\0\0\0\0"\0\12\2\0\334\375\177\0\0\0\0P\0a\0c\0k\0e\0d\0C\0a\0t\0a\0l\0o\0g\0I\0"}, 900, ) }, 900, ) == 0x0
 00442  1956   NtClose  (68, ... ) == 0x0
 00443  1956   NtOpenKey  (0x20019, {24, 64, 0x40, 0, 0,  (0x20019, {24, 64, 0x40, 0, 0, "000000000022"}, ... 68, ) }, ... 68, ) == 0x0
 00444  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00445  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW
 00446  1956   NtAllocateVirtualMemory  (-1, 1351680, 0, 4096, 4096, 4, ... 1351680, 4096, ) == 0x0
 00447  1956   NtQueryValueKey  (68,  (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0\14\5\0\0\244\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0\14\5\0\0\244\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0\14\5\0\0\244\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0\14\5\0\0\244\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) , Partial, 900, ... TitleIdx=0, Type=3, Data= (68, "PackedCatalogItem", Partial, 900, ... TitleIdx=0, Type=3, Data="%SystemRoot%\system32\mswsock.dll\0\26\0\10@w\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0{\1\11\0;\0\16\1X\253\26\0\10@w\16\09\01\0A\06\0F\0E\02\05\02\0D\03\0F\0B\08\0E\06\0C\0C\07\06\0C\06\03\0F\09\0B\0C\0D\04\0C\07\01\0E\0B\00\0\0\0\2404\2002\0W\14\0\14\0\317\1\15\10Q0,\6\12+\6\1\4\1\2027\2\1\31\242\36\200\34\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>0!0\11\6\5+\16\3\2\32\5\11\2\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\00\30_\215s\302\317\21\225\310\0\200_H\241\222"\4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0\14\5\0\0\244\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0\14\5\0\0\244\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0\14\5\0\0\244\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0\14\5\0\0\244\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) \4\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\24\0\0\0\24\0\0\0\2\0\0\0\371\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\372\0\0\0\0\0\0M\0S\0A\0F\0D\0 \0N\0e\0t\0B\0I\0O\0S\0 \0[\0\\0D\0e\0v\0i\0c\0e\0\\0N\0e\0t\0B\0T\0_\0T\0c\0p\0i\0p\0_\0{\02\01\0B\08\0E\09\0D\05\0-\03\0F\0C\03\0-\04\0F\09\0D\0-\08\0\0\0\0\0\204\3\0\0\300\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0D\0\0\0\300\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\301\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\0\0\1\0\0\0\0\0\4\0\0\0@\0\0\0\301\1\0\0\14\5\0\0\244\7\0\0\17\0\0\0\1\0\1\0\0\0\0\0\0\0\0\0\302\1\0\0\14\5\0\0\244\7\0\0\305\0\0\0\0\0\1\0\0\0\0\0\24\0\0\08\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\302\1\0\0\14\5\0\0\244\7\0\0\305\0\0\0\1\0\1\0\2\1\0\0\0\0\0\0\303\1\0\0\14\5\0\0\244\7\0\0\25\0\0\0\0\0\1\0\0\0\0\0\24\0\0\0\3\0\37\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\303\1\0\0\14\5\0\0\244\7\0\0\25\0\0\0\1\0\1\0\0\0\0\0\10\0\0\0\0\0\0\0@\0\0\0\304\1\0\0\14\5\0\0\244\7\0\0Q\0\0\0\0\0\1\0\0\0\0\0T\0\0\0\0\0\0\2\0\0\0\0\30\0\0\04\0\0\0\210\374\22\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0\310L\24\0\0\0\0\0N\0a\0m\0e\0S\0p\0a\0c\0e\0_\0C\0a\0t\0a\0l\0o\0g\05\0"}, 900, ) == 0x0
 00448  1956   NtClose  (68, ... ) == 0x0
 00449  1956   NtClose  (64, ... ) == 0x0
 00450  1956   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00451  1956   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ... 64, ) == 0x0
 00452  1956   NtOpenKey  (0x2000000, {24, 52, 0x40, 0, 0,  (0x2000000, {24, 52, 0x40, 0, 0, "NameSpace_Catalog5"}, ... 68, ) }, ... 68, ) == 0x0
 00453  1956   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00454  1956   NtNotifyChangeKey  (68, 64, 0, 0, 2011455960, 1, 0, 0, 0, 1, ... ) == 0x103
 00455  1956   NtQueryValueKey  (68,  (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Serial_Access_Num", Partial, 144, ... TitleIdx=0, Type=4, Data="\5\0\0\0"}, 16, ) }, 16, ) == 0x0
 00456  1956   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "00000005"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00457  1956   NtQueryValueKey  (68,  (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (68, "Num_Catalog_Entries", Partial, 144, ... TitleIdx=0, Type=4, Data="\4\0\0\0"}, 16, ) }, 16, ) == 0x0
 00458  1956   NtOpenKey  (0x2000000, {24, 68, 0x40, 0, 0,  (0x2000000, {24, 68, 0x40, 0, 0, "Catalog_Entries"}, ... 72, ) }, ... 72, ) == 0x0
 00459  1956   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000001"}, ... 76, ) }, ... 76, ) == 0x0
 00460  1956   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00461  1956   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00462  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00463  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00464  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00465  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="T\0c\0p\0i\0p\0\0\0"}, 24, ) }, 24, ) == 0x0
 00466  1956   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="@\235\5"\236~\317\21\256Z\0\252\0\247\21+"}, 28, ) \236~\317\21\256Z\0\252\0\247\21+"}, 28, ) == 0x0
 00467  1956   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00468  1956   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\14\0\0\0"}, 16, ) }, 16, ) == 0x0
 00469  1956   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00470  1956   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00471  1956   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00472  1956   NtClose  (76, ... ) == 0x0
 00473  1956   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000002"}, ... 76, ) }, ... 76, ) == 0x0
 00474  1956   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00475  1956   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0i\0n\0r\0n\0r\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00476  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00477  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00478  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00479  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0T\0D\0S\0\0\0"}, 22, ) }, 22, ) == 0x0
 00480  1956   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\3567&;\200\345\317\21\245U\0\300O\330\324\254"}, 28, ) }, 28, ) == 0x0
 00481  1956   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00482  1956   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data=" \0\0\0"}, 16, ) }, 16, ) == 0x0
 00483  1956   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00484  1956   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00485  1956   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00486  1956   NtClose  (76, ... ) == 0x0
 00487  1956   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000003"}, ... 76, ) }, ... 76, ) == 0x0
 00488  1956   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00489  1956   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0m\0s\0w\0s\0o\0c\0k\0.\0d\0l\0l\0\0\0"}, 80, ) }, 80, ) == 0x0
 00490  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00491  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00492  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00493  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="N\0e\0t\0w\0o\0r\0k\0 \0L\0o\0c\0a\0t\0i\0o\0n\0 \0A\0w\0a\0r\0e\0n\0e\0s\0s\0 \0(\0N\0L\0A\0)\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 98, ) }, 98, ) == 0x0
 00494  1956   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data=":$Bf\250;\246J\272\245.\13\327\37\335\203"}, 28, ) }, 28, ) == 0x0
 00495  1956   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00496  1956   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\17\0\0\0"}, 16, ) }, 16, ) == 0x0
 00497  1956   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00498  1956   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00499  1956   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00500  1956   NtClose  (76, ... ) == 0x0
 00501  1956   NtOpenKey  (0x20019, {24, 72, 0x40, 0, 0,  (0x20019, {24, 72, 0x40, 0, 0, "000000000004"}, ... 76, ) }, ... 76, ) == 0x0
 00502  1956   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00503  1956   NtQueryValueKey  (76,  (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "LibraryPath", Partial, 144, ... TitleIdx=0, Type=1, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0s\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0b\0t\0h\0.\0d\0l\0l\0\0\0"}, 78, ) }, 78, ) == 0x0
 00504  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00505  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00506  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00507  1956   NtQueryValueKey  (76,  (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) , Partial, 144, ... TitleIdx=0, Type=1, Data= (76, "DisplayString", Partial, 144, ... TitleIdx=0, Type=1, Data="B\0l\0u\0e\0t\0o\0o\0t\0h\0 \0N\0a\0m\0e\0s\0p\0a\0c\0e\0\0\0"}, 52, ) }, 52, ) == 0x0
 00508  1956   NtQueryValueKey  (76,  (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) , Partial, 144, ... TitleIdx=0, Type=3, Data= (76, "ProviderId", Partial, 144, ... TitleIdx=0, Type=3, Data="\340c\252\6`}\377A\257\262>\346\322\3319-"}, 28, ) }, 28, ) == 0x0
 00509  1956   NtQueryValueKey  (76,  (76, "AddressFamily", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00510  1956   NtQueryValueKey  (76,  (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "SupportedNameSpace", Partial, 144, ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 00511  1956   NtQueryValueKey  (76,  (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Enabled", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00512  1956   NtQueryValueKey  (76,  (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "Version", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00513  1956   NtQueryValueKey  (76,  (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (76, "StoresServiceClassInfo", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00514  1956   NtClose  (76, ... ) == 0x0
 00515  1956   NtClose  (72, ... ) == 0x0
 00516  1956   NtWaitForSingleObject  (64, 0, {0, 0}, ... ) == 0x102
 00517  1956   NtClose  (52, ... ) == 0x0
 00518  1956   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00519  1956   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00520  1956   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Winsock2\Parameters"}, ... 52, ) }, ... 52, ) == 0x0
 00521  1956   NtQueryValueKey  (52,  (52, "Ws2_32NumHandleBuckets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00522  1956   NtClose  (52, ... ) == 0x0
 00523  1956   NtAllocateVirtualMemory  (-1, 1355776, 0, 4096, 4096, 4, ... 1355776, 4096, ) == 0x0
 00524  1956   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 52, ) == 0x0
 00525  1956   NtCreateFile  (0x80100080, {24, 0, 0x40, 0, 1241648,  (0x80100080, {24, 0, 0x40, 0, 1241648, "\??\u:\work\packed.exe"}, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) }, 0x0, 0, 1, 1, 2097252, 0, 0, ... 72, {status=0x0, info=1}, ) == 0x0
 00526  1956   NtQueryInformationFile  (72, 1242084, 8, AttributeFlag, ... {status=0x0, info=8}, ) == 0x0
 00527  1956   NtQueryInformationFile  (72, 1242000, 24, Standard, ... {status=0x0, info=24}, ) == 0x0
 00528  1956   NtQueryInformationFile  (72, 1241816, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00529  1956   NtAllocateVirtualMemory  (-1, 1359872, 0, 8192, 4096, 4, ... 1359872, 8192, ) == 0x0
 00530  1956   NtQueryInformationFile  (72, 1355896, 4094, Stream, ... {status=0x0, info=38}, ) == 0x0
 00531  1956   NtQueryInformationFile  (72, 1240264, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00532  1956   NtQueryInformationFile  (72, 1240540, 4, Ea, ... {status=0x0, info=4}, ) == 0x0
 00533  1956   NtCreateFile  (0x40110080, {24, 0, 0x40, 0, 1240416,  (0x40110080, {24, 0, 0x40, 0, 1240416, "\??\C:\WINDOWS\avserve2.exe"}, 0x0, 32, 0, 5, 100, 0, 0, ... }, 0x0, 32, 0, 5, 100, 0, 0, ...
 00534  1956   NtClose  (-2147482584, ... ) == 0x0
 00533  1956   NtCreateFile  ... 76, {status=0x0, info=2}, ) == 0x0
 00535  1956   NtQueryVolumeInformationFile  (76, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00536  1956   NtQueryInformationFile  (76, 1240152, 40, Basic, ... {status=0x0, info=40}, ) == 0x0
 00537  1956   NtQueryVolumeInformationFile  (72, 1240568, 536, Attribute, ... {status=0x0, info=20}, ) == 0x0
 00538  1956   NtSetInformationFile  (76, 1240468, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00539  1956   NtCreateSection  (0xf001f, 0x0, 0x0, 2, 134217728, 72, ... 80, ) == 0x0
 00540  1956   NtMapViewOfSection  (80, -1, (0x0), 0, 0, {0, 0}, 0, 1, 0, 2, ... (0x850000), {0, 0}, 16384, ) == 0x0
 00541  1956   NtClose  (80, ... ) == 0x0
 00542  1956   NtWriteFile  (76, 0, 0, 0,  (76, 0, 0, 0, "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\324%^\221\220D0\302\220D0\302\220D0\302x[:\302\212D0\302\23X>\302\233D0\302\220D1\302\331D0\302\362[#\302\231D0\302x[;\302\224D0\302(B6\302\221D0\302Rich\220D0\302\0\0\0\0\0\0\0\0PE\0\0L\1\2\0d\347\223@\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0>\0\0\0"\0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 15872, 0x0, 0, ... {status=0x0, info=15872}, ) \0\0\0\0\0\0>(\0\0\0\20\0\0\0P\0\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\240\1\0\0\4\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0$\220\0\0\212\0\0\0\0\220\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0.text\0\0\0\0\200\0\0\0\20\0\0\00\0\0\0\4\0\02CEP\0\0\0\0\0\0\0\0 \0\0\340.rsr", 15872, 0x0, 0, ... {status=0x0, info=15872}, ) == 0x0
 00543  1956   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 00544  1956   NtSetInformationFile  (76, 1241816, 40, Basic, ... {status=0x0, info=0}, ) == 0x0
 00545  1956   NtClose  (72, ... ) == 0x0
 00546  1956   NtClose  (76, ... ) == 0x0
 00547  1956   NtOpenKey  (0x2000000, {24, 28, 0x40, 0, 0,  (0x2000000, {24, 28, 0x40, 0, 0, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"}, ... 76, ) }, ... 76, ) == 0x0
 00548  1956   NtSetValueKey  (76,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 0, 1,  (76, "avserve2.exe", 0, 1, "C\0:\0\\0W\0I\0N\0D\0O\0W\0S\0\\0a\0v\0s\0e\0r\0v\0e\02\0.\0e\0x\0e\0\0\0", 48, ... , 48, ...
 00549  1956   NtSetInformationFile  (-2147482448, -139610320, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00550  1956   NtSetInformationFile  (-2147482448, -139610412, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00551  1956   NtSetInformationFile  (-2147482448, -139610720, 8, EndOfFile, ... {status=0x0, info=0}, ) == 0x0
 00548  1956   NtSetValueKey  ... ) == 0x0
 00552  1956   NtClose  (76, ... ) == 0x0
 00553  1956   NtCreateMutant  (0x1f0001, {24, 44, 0x80, 0, 0,  (0x1f0001, {24, 44, 0x80, 0, 0, "JumpallsNlsTillt"}, 0, ... 76, ) }, 0, ... 76, ) == 0x0
 00554  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 9961472, 1048576, ) == 0x0
 00555  1956   NtAllocateVirtualMemory  (-1, 11001856, 0, 8192, 4096, 4, ... 11001856, 8192, ) == 0x0
 00556  1956   NtProtectVirtualMemory  (-1, (0xa7e000), 4096, 260, ... (0xa7e000), 4096, 4, ) == 0x0
 00557  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 72, {1292, 1068}, ) == 0x0
 00558  1956   NtQueryInformationThread  (72, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdc000,Pid=1292,Tid=1068,}, 0x0, ) == 0x0
 00559  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\14\5\0\0,\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\14\5\0\0,\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57974, 0}  (24, {28, 56, new_msg, 0, 1244884, 2089878865, 1315560, 2089878893} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\14\5\0\0,\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\0\0\0\14\5\0\0,\4\0\0" )  ) == 0x0
 00560  1956   NtResumeThread  (72, ... 1, ) == 0x0
 00561  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 11010048, 1048576, ) == 0x0
 00562  1956   NtAllocateVirtualMemory  (-1, 12050432, 0, 8192, 4096, 4, ... 12050432, 8192, ) == 0x0
 00563  1956   NtProtectVirtualMemory  (-1, (0xb7e000), 4096, 260, ...
 00564  1068   NtTestAlert  (... ) == 0x0
 00565  1068   NtContinue  (11009328, 1, ...
 00566  1068   NtRegisterThreadTerminatePort  (24, ... ) == 0x0
 00567  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ... 80, ) == 0x0
 00568  1068   NtWaitForSingleObject  (56, 0, {0, 0}, ... ) == 0x102
 00569  1068   NtAllocateVirtualMemory  (-1, 10997760, 0, 4096, 4096, 260, ...
 00563  1956   NtProtectVirtualMemory  ... (0xb7e000), 4096, 4, ) == 0x0
 00570  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 84, {1292, 1856}, ) == 0x0
 00571  1956   NtQueryInformationThread  (84, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffdb000,Pid=1292,Tid=1856,}, 0x0, ) == 0x0
 00572  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57974, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\14\5\0\0@\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\14\5\0\0@\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57975, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57974, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\14\5\0\0@\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\0\0\0\14\5\0\0@\7\0\0" )  ) == 0x0
 00573  1956   NtResumeThread  (84, ... 1, ) == 0x0
 00574  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 12058624, 1048576, ) == 0x0
 00569  1068   NtAllocateVirtualMemory  ... 10997760, 4096, ) == 0x0
 00575  1856   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00576  1068   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006452, ... }, 11006452, ...
 00575  1856   NtCreateEvent  ... 88, ) == 0x0
 00576  1068   NtQueryAttributesFile  ... ) == 0x0
 00577  1856   NtWaitForSingleObject  (88, 0, 0x0, ...
 00578  1068   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 92, {status=0x0, info=1}, ) }, 5, 96, ... 92, {status=0x0, info=1}, ) == 0x0
 00579  1068   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 92, ... 96, ) == 0x0
 00580  1068   NtClose  (92, ... ) == 0x0
 00581  1068   NtMapViewOfSection  (96, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0xc80000), 0x0, 245760, ) == 0x0
 00582  1068   NtClose  (96, ...
 00583  1956   NtAllocateVirtualMemory  (-1, 13099008, 0, 8192, 4096, 4, ... 13099008, 8192, ) == 0x0
 00584  1956   NtProtectVirtualMemory  (-1, (0xc7e000), 4096, 260, ... (0xc7e000), 4096, 4, ) == 0x0
 00585  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 92, {1292, 1596}, ) == 0x0
 00586  1956   NtQueryInformationThread  (92, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffda000,Pid=1292,Tid=1596,}, 0x0, ) == 0x0
 00587  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57975, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\14\5\0\0<\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\14\5\0\0<\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57976, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57975, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\14\5\0\0<\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\\0\0\0\14\5\0\0<\6\0\0" )  ) == 0x0
 00588  1956   NtResumeThread  (92, ...
 00582  1068   NtClose  ... ) == 0x0
 00588  1956   NtResumeThread  ... 1, ) == 0x0
 00589  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 13369344, 1048576, ) == 0x0
 00590  1956   NtAllocateVirtualMemory  (-1, 14409728, 0, 8192, 4096, 4, ... 14409728, 8192, ) == 0x0
 00591  1956   NtProtectVirtualMemory  (-1, (0xdbe000), 4096, 260, ...
 00592  1596   NtWaitForSingleObject  (88, 0, 0x0, ...
 00591  1956   NtProtectVirtualMemory  ... (0xdbe000), 4096, 4, ) == 0x0
 00593  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00594  1068   NtUnmapViewOfSection  (-1, 0xc80000, ... ) == 0x0
 00595  1068   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006760, ... ) }, 11006760, ... ) == 0x0
 00596  1068   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 5, 96, ... 96, {status=0x0, info=1}, ) }, 5, 96, ... 96, {status=0x0, info=1}, ) == 0x0
 00597  1068   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 96, ... 100, ) == 0x0
 00598  1068   NtQuerySection  (100, Image, 48, ...
 00593  1956   NtCreateThread  ... 104, {1292, 1128}, ) == 0x0
 00599  1956   NtQueryInformationThread  (104, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd9000,Pid=1292,Tid=1128,}, 0x0, ) == 0x0
 00600  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57976, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\14\5\0\0h\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\14\5\0\0h\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57977, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57976, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\14\5\0\0h\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\0\0\0\14\5\0\0h\4\0\0" )  ) == 0x0
 00601  1956   NtResumeThread  (104, ... 1, ) == 0x0
 00602  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 14417920, 1048576, ) == 0x0
 00598  1068   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00603  1128   NtWaitForSingleObject  (88, 0, 0x0, ...
 00604  1068   NtClose  (96, ... ) == 0x0
 00605  1068   NtMapViewOfSection  (100, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a50000), 0x0, 258048, ) == 0x0
 00606  1068   NtClose  (100, ... ) == 0x0
 00607  1068   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00608  1068   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00609  1956   NtAllocateVirtualMemory  (-1, 15458304, 0, 8192, 4096, 4, ... 15458304, 8192, ) == 0x0
 00610  1956   NtProtectVirtualMemory  (-1, (0xebe000), 4096, 260, ... (0xebe000), 4096, 4, ) == 0x0
 00611  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 100, {1292, 1256}, ) == 0x0
 00612  1956   NtQueryInformationThread  (100, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd8000,Pid=1292,Tid=1256,}, 0x0, ) == 0x0
 00613  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57977, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\14\5\0\0\350\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\14\5\0\0\350\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57978, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57977, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\14\5\0\0\350\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\0\0\0\14\5\0\0\350\4\0\0" )  ) == 0x0
 00614  1956   NtResumeThread  (100, ...
 00608  1068   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00615  1068   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00616  1068   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00617  1068   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ... (0x71a51000), 4096, 4, ) == 0x0
 00618  1068   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00619  1068   NtProtectVirtualMemory  (-1, (0x71a51000), 1060, 4, ... (0x71a51000), 4096, 32, ) == 0x0
 00620  1068   NtProtectVirtualMemory  (-1, (0x71a51000), 4096, 32, ...
 00614  1956   NtResumeThread  ... 1, ) == 0x0
 00621  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 15466496, 1048576, ) == 0x0
 00622  1956   NtAllocateVirtualMemory  (-1, 16506880, 0, 8192, 4096, 4, ... 16506880, 8192, ) == 0x0
 00623  1956   NtProtectVirtualMemory  (-1, (0xfbe000), 4096, 260, ... (0xfbe000), 4096, 4, ) == 0x0
 00624  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 96, {1292, 220}, ) == 0x0
 00625  1956   NtQueryInformationThread  (96, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd7000,Pid=1292,Tid=220,}, 0x0, ) == 0x0
 00626  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57978, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57978, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\14\5\0\0\334\0\0\0" ...  ...
 00620  1068   NtProtectVirtualMemory  ... (0x71a51000), 4096, 4, ) == 0x0
 00627  1256   NtWaitForSingleObject  (88, 0, 0x0, ...
 00628  1068   NtFlushInstructionCache  (-1, 1906642944, 1060, ... ) == 0x0
 00629  1068   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00630  1068   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00631  1068   NtQuerySystemInformation  (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0
 00632  1068   NtSetEventBoostPriority  (88, ...
 00626  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57979, 0}  ... {28, 56, reply, 0, 1292, 1956, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\0\0\0\14\5\0\0\334\0\0\0" )  ) == 0x0
 00633  1956   NtResumeThread  (96, ... 1, ) == 0x0
 00634  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 16515072, 1048576, ) == 0x0
 00635  1956   NtAllocateVirtualMemory  (-1, 17555456, 0, 8192, 4096, 4, ... 17555456, 8192, ) == 0x0
 00636  1956   NtProtectVirtualMemory  (-1, (0x10be000), 4096, 260, ... (0x10be000), 4096, 4, ) == 0x0
 00637  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 108, {1292, 1800}, ) == 0x0
 00577  1856   NtWaitForSingleObject  ... ) == 0x0
 00632  1068   NtSetEventBoostPriority  ... ) == 0x0
 00638   220   NtWaitForSingleObject  (88, 0, 0x0, ...
 00639  1856   NtSetEventBoostPriority  (88, ...
 00640  1068   NtWaitForSingleObject  (88, 0, 0x0, ...
 00592  1596   NtWaitForSingleObject  ... ) == 0x0
 00639  1856   NtSetEventBoostPriority  ... ) == 0x0
 00641  1596   NtSetEventBoostPriority  (88, ...
 00642  1956   NtQueryInformationThread  (108, Basic, 28, ...
 00603  1128   NtWaitForSingleObject  ... ) == 0x0
 00641  1596   NtSetEventBoostPriority  ... ) == 0x0
 00643  1128   NtSetEventBoostPriority  (88, ...
 00642  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd6000,Pid=1292,Tid=1800,}, 0x0, ) == 0x0
 00644  1856   NtTestAlert  (...
 00627  1256   NtWaitForSingleObject  ... ) == 0x0
 00643  1128   NtSetEventBoostPriority  ... ) == 0x0
 00645  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57979, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57979, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\14\5\0\0\10\7\0\0" ...  ...
 00646  1256   NtSetEventBoostPriority  (88, ...
 00644  1856   NtTestAlert  ... ) == 0x0
 00647  1596   NtTestAlert  (...
 00638   220   NtWaitForSingleObject  ... ) == 0x0
 00646  1256   NtSetEventBoostPriority  ... ) == 0x0
 00645  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57980, 0}  ... {28, 56, reply, 0, 1292, 1956, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\0\0\0\14\5\0\0\10\7\0\0" )  ) == 0x0
 00648  1856   NtContinue  (12057904, 1, ...
 00649   220   NtSetEventBoostPriority  (88, ...
 00647  1596   NtTestAlert  ... ) == 0x0
 00650  1128   NtTestAlert  (...
 00651  1956   NtResumeThread  (108, ...
 00640  1068   NtWaitForSingleObject  ... ) == 0x0
 00649   220   NtSetEventBoostPriority  ... ) == 0x0
 00652  1856   NtRegisterThreadTerminatePort  (24, ...
 00653  1596   NtContinue  (13106480, 1, ...
 00650  1128   NtTestAlert  ... ) == 0x0
 00654  1256   NtTestAlert  (...
 00655  1068   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00651  1956   NtResumeThread  ... 1, ) == 0x0
 00652  1856   NtRegisterThreadTerminatePort  ... ) == 0x0
 00656  1596   NtRegisterThreadTerminatePort  (24, ...
 00657  1128   NtContinue  (14417200, 1, ...
 00655  1068   NtCreateEvent  ... 112, ) == 0x0
 00654  1256   NtTestAlert  ... ) == 0x0
 00658  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00659  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00656  1596   NtRegisterThreadTerminatePort  ... ) == 0x0
 00660  1128   NtRegisterThreadTerminatePort  (24, ...
 00661   220   NtTestAlert  (...
 00662  1800   NtTestAlert  (...
 00663  1256   NtContinue  (15465776, 1, ...
 00658  1956   NtAllocateVirtualMemory  ... 17563648, 1048576, ) == 0x0
 00664  1068   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "hnetcfg.dll"}, ... }, ...
 00665  1596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00660  1128   NtRegisterThreadTerminatePort  ... ) == 0x0
 00661   220   NtTestAlert  ... ) == 0x0
 00662  1800   NtTestAlert  ... ) == 0x0
 00666  1256   NtRegisterThreadTerminatePort  (24, ...
 00667  1956   NtAllocateVirtualMemory  (-1, 18604032, 0, 8192, 4096, 4, ...
 00664  1068   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00659  1856   NtDuplicateObject  ... 116, ) == 0x0
 00668  1128   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00669   220   NtContinue  (16514352, 1, ...
 00670  1800   NtContinue  (17562928, 1, ...
 00666  1256   NtRegisterThreadTerminatePort  ... ) == 0x0
 00667  1956   NtAllocateVirtualMemory  ... 18604032, 8192, ) == 0x0
 00671  1068   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00672  1856   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00665  1596   NtDuplicateObject  ... 120, ) == 0x0
 00673   220   NtRegisterThreadTerminatePort  (24, ...
 00674  1800   NtRegisterThreadTerminatePort  (24, ...
 00675  1256   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00676  1956   NtProtectVirtualMemory  (-1, (0x11be000), 4096, 260, ...
 00672  1856   NtWaitForSingleObject  ... ) == 0x102
 00677  1596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00673   220   NtRegisterThreadTerminatePort  ... ) == 0x0
 00674  1800   NtRegisterThreadTerminatePort  ... ) == 0x0
 00668  1128   NtDuplicateObject  ... 124, ) == 0x0
 00675  1256   NtDuplicateObject  ... 128, ) == 0x0
 00678  1856   NtAllocateVirtualMemory  (-1, 12046336, 0, 4096, 4096, 260, ...
 00677  1596   NtWaitForSingleObject  ... ) == 0x102
 00679   220   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00676  1956   NtProtectVirtualMemory  ... (0x11be000), 4096, 4, ) == 0x0
 00680  1128   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00681  1256   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00678  1856   NtAllocateVirtualMemory  ... 12046336, 4096, ) == 0x0
 00682  1596   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00683  1800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00684  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00680  1128   NtWaitForSingleObject  ... ) == 0x102
 00681  1256   NtWaitForSingleObject  ... ) == 0x102
 00679   220   NtDuplicateObject  ... 132, ) == 0x0
 00682  1596   NtCreateEvent  ... 136, ) == 0x0
 00683  1800   NtDuplicateObject  ... 140, ) == 0x0
 00684  1956   NtCreateThread  ... 144, {1292, 1796}, ) == 0x0
 00685  1128   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00686  1256   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 00687   220   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00688  1856   NtWaitForSingleObject  (88, 0, 0x0, ...
 00689  1800   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00690  1956   NtQueryInformationThread  (144, Basic, 28, ...
 00685  1128   NtCreateEvent  ... 148, ) == 0x0
 00686  1256   NtCreateEvent  ... 152, ) == 0x0
 00687   220   NtWaitForSingleObject  ... ) == 0x102
 00689  1800   NtWaitForSingleObject  ... ) == 0x102
 00690  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffd5000,Pid=1292,Tid=1796,}, 0x0, ) == 0x0
 00691  1596   NtWaitForSingleObject  (136, 0, 0x0, ...
 00692  1128   NtClose  (148, ...
 00693   220   NtWaitForSingleObject  (136, 0, 0x0, ...
 00694  1800   NtWaitForSingleObject  (136, 0, 0x0, ...
 00695  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57980, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57980, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\14\5\0\0\4\7\0\0" ...  ...
 00692  1128   NtClose  ... ) == 0x0
 00696  1256   NtClose  (152, ...
 00671  1068   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00697  1128   NtWaitForSingleObject  (136, 0, 0x0, ...
 00696  1256   NtClose  ... ) == 0x0
 00698  1068   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 11006372, ... }, 11006372, ...
 00699  1256   NtWaitForSingleObject  (136, 0, 0x0, ...
 00698  1068   NtQueryAttributesFile  ... ) == 0x0
 00700  1068   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\hnetcfg.dll"}, 5, 96, ... 152, {status=0x0, info=1}, ) }, 5, 96, ... 152, {status=0x0, info=1}, ) == 0x0
 00701  1068   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 152, ... 148, ) == 0x0
 00702  1068   NtQuerySection  (148, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00703  1068   NtClose  (152, ... ) == 0x0
 00704  1068   NtMapViewOfSection  (148, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00695  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57981, 0}  ... {28, 56, reply, 0, 1292, 1956, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\0\0\0\14\5\0\0\4\7\0\0" )  ) == 0x0
 00705  1956   NtResumeThread  (144, ... 1, ) == 0x0
 00706  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 18612224, 1048576, ) == 0x0
 00707  1956   NtAllocateVirtualMemory  (-1, 19652608, 0, 8192, 4096, 4, ... 19652608, 8192, ) == 0x0
 00708  1956   NtProtectVirtualMemory  (-1, (0x12be000), 4096, 260, ... (0x12be000), 4096, 4, ) == 0x0
 00709  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 152, {1292, 1808}, ) == 0x0
 00704  1068   NtMapViewOfSection  ... (0x662b0000), 0x0, 360448, ) == 0x0
 00710  1796   NtWaitForSingleObject  (88, 0, 0x0, ...
 00711  1068   NtClose  (148, ... ) == 0x0
 00712  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00713  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00714  1068   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00715  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00716  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00717  1956   NtQueryInformationThread  (152, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffd4000,Pid=1292,Tid=1808,}, 0x0, ) == 0x0
 00718  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57981, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\14\5\0\0\20\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\14\5\0\0\20\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57982, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57981, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\14\5\0\0\20\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\0\0\0\14\5\0\0\20\7\0\0" )  ) == 0x0
 00719  1956   NtResumeThread  (152, ... 1, ) == 0x0
 00720  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 19660800, 1048576, ) == 0x0
 00721  1956   NtAllocateVirtualMemory  (-1, 20701184, 0, 8192, 4096, 4, ... 20701184, 8192, ) == 0x0
 00722  1956   NtProtectVirtualMemory  (-1, (0x13be000), 4096, 260, ...
 00716  1068   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00723  1808   NtWaitForSingleObject  (88, 0, 0x0, ...
 00724  1068   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00725  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00726  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00727  1068   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00728  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00729  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ...
 00722  1956   NtProtectVirtualMemory  ... (0x13be000), 4096, 4, ) == 0x0
 00730  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 148, {1292, 1700}, ) == 0x0
 00731  1956   NtQueryInformationThread  (148, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaf000,Pid=1292,Tid=1700,}, 0x0, ) == 0x0
 00732  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57982, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\14\5\0\0\244\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\14\5\0\0\244\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57983, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57982, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\14\5\0\0\244\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\0\0\0\14\5\0\0\244\6\0\0" )  ) == 0x0
 00733  1956   NtResumeThread  (148, ... 1, ) == 0x0
 00734  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 20709376, 1048576, ) == 0x0
 00729  1068   NtProtectVirtualMemory  ... (0x662b1000), 4096, 4, ) == 0x0
 00735  1700   NtWaitForSingleObject  (88, 0, 0x0, ...
 00736  1068   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00737  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 932, 4, ... (0x662b1000), 4096, 32, ) == 0x0
 00738  1068   NtProtectVirtualMemory  (-1, (0x662b1000), 4096, 32, ... (0x662b1000), 4096, 4, ) == 0x0
 00739  1068   NtFlushInstructionCache  (-1, 1714098176, 932, ... ) == 0x0
 00740  1068   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00741  1068   NtSetEventBoostPriority  (88, ...
 00742  1956   NtAllocateVirtualMemory  (-1, 21749760, 0, 8192, 4096, 4, ... 21749760, 8192, ) == 0x0
 00743  1956   NtProtectVirtualMemory  (-1, (0x14be000), 4096, 260, ... (0x14be000), 4096, 4, ) == 0x0
 00744  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 156, {1292, 1156}, ) == 0x0
 00745  1956   NtQueryInformationThread  (156, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffae000,Pid=1292,Tid=1156,}, 0x0, ) == 0x0
 00746  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57983, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\14\5\0\0\204\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\14\5\0\0\204\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57984, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57983, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\14\5\0\0\204\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\0\0\0\14\5\0\0\204\4\0\0" )  ) == 0x0
 00747  1956   NtResumeThread  (156, ...
 00688  1856   NtWaitForSingleObject  ... ) == 0x0
 00741  1068   NtSetEventBoostPriority  ... ) == 0x0
 00748  1856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\mswsock.dll"}, 12053456, ... }, 12053456, ...
 00749  1068   NtWaitForSingleObject  (88, 0, 0x0, ...
 00748  1856   NtQueryAttributesFile  ... ) == 0x0
 00750  1856   NtSetEventBoostPriority  (88, ...
 00710  1796   NtWaitForSingleObject  ... ) == 0x0
 00751  1796   NtSetEventBoostPriority  (88, ...
 00723  1808   NtWaitForSingleObject  ... ) == 0x0
 00752  1808   NtSetEventBoostPriority  (88, ...
 00735  1700   NtWaitForSingleObject  ... ) == 0x0
 00753  1700   NtSetEventBoostPriority  (88, ...
 00749  1068   NtWaitForSingleObject  ... ) == 0x0
 00754  1068   NtQuerySystemInformation  (Basic, 44, ... {Unknown=0,MaximumIncrement=156250,PhysicalPageSize=0x1000,NumberOfPhysicalPages=0xff7c,LowestPhysicalPage=0x1,HighestPhysicalPage=0xffff,AllocationGranularity=0x10000,LowestUserAddress=0x10000,HighestUserAddress=0x7ffeffff,ActiveProcessors=1,NumberProcessors=1,}, 0x0, ) == 0x0
 00753  1700   NtSetEventBoostPriority  ... ) == 0x0
 00752  1808   NtSetEventBoostPriority  ... ) == 0x0
 00751  1796   NtSetEventBoostPriority  ... ) == 0x0
 00750  1856   NtSetEventBoostPriority  ... ) == 0x0
 00747  1956   NtResumeThread  ... 1, ) == 0x0
 00755  1068   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\PagedBuffers"}, ... }, ...
 00756  1156   NtTestAlert  (...
 00757  1700   NtTestAlert  (...
 00758  1808   NtTestAlert  (...
 00759  1856   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00760  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00755  1068   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00756  1156   NtTestAlert  ... ) == 0x0
 00757  1700   NtTestAlert  ... ) == 0x0
 00758  1808   NtTestAlert  ... ) == 0x0
 00759  1856   NtCreateEvent  ... 160, ) == 0x0
 00760  1956   NtAllocateVirtualMemory  ... 21757952, 1048576, ) == 0x0
 00761  1068   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc"}, ... }, ...
 00762  1156   NtContinue  (21757232, 1, ...
 00763  1700   NtContinue  (20708656, 1, ...
 00764  1808   NtContinue  (19660080, 1, ...
 00765  1856   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "DNSAPI.dll"}, ... }, ...
 00766  1956   NtAllocateVirtualMemory  (-1, 22798336, 0, 8192, 4096, 4, ...
 00761  1068   NtOpenKey  ... 164, ) == 0x0
 00767  1156   NtRegisterThreadTerminatePort  (24, ...
 00768  1700   NtRegisterThreadTerminatePort  (24, ...
 00769  1808   NtRegisterThreadTerminatePort  (24, ...
 00765  1856   NtOpenSection  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00766  1956   NtAllocateVirtualMemory  ... 22798336, 8192, ) == 0x0
 00770  1068   NtQueryValueKey  (164,  (164, "MaxRpcSize", Partial, 144, ... , Partial, 144, ...
 00767  1156   NtRegisterThreadTerminatePort  ... ) == 0x0
 00768  1700   NtRegisterThreadTerminatePort  ... ) == 0x0
 00769  1808   NtRegisterThreadTerminatePort  ... ) == 0x0
 00771  1856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\u:\work\DNSAPI.dll"}, 12053560, ... }, 12053560, ...
 00772  1956   NtProtectVirtualMemory  (-1, (0x15be000), 4096, 260, ...
 00770  1068   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00773  1796   NtTestAlert  (...
 00774  1700   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00775  1808   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00776  1156   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00772  1956   NtProtectVirtualMemory  ... (0x15be000), 4096, 4, ) == 0x0
 00773  1796   NtTestAlert  ... ) == 0x0
 00777  1068   NtClose  (164, ...
 00774  1700   NtDuplicateObject  ... 168, ) == 0x0
 00776  1156   NtDuplicateObject  ... 172, ) == 0x0
 00778  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00779  1796   NtContinue  (18611504, 1, ...
 00777  1068   NtClose  ... ) == 0x0
 00780  1700   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00781  1156   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00778  1956   NtCreateThread  ... 164, {1292, 712}, ) == 0x0
 00782  1796   NtRegisterThreadTerminatePort  (24, ...
 00783  1068   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\packed.exe\RpcThreadPoolThrottle"}, ... }, ...
 00780  1700   NtWaitForSingleObject  ... ) == 0x102
 00781  1156   NtWaitForSingleObject  ... ) == 0x102
 00784  1956   NtQueryInformationThread  (164, Basic, 28, ...
 00782  1796   NtRegisterThreadTerminatePort  ... ) == 0x0
 00783  1068   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00785  1700   NtWaitForSingleObject  (136, 0, 0x0, ...
 00786  1156   NtWaitForSingleObject  (136, 0, 0x0, ...
 00784  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffad000,Pid=1292,Tid=712,}, 0x0, ) == 0x0
 00787  1796   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00788  1068   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00775  1808   NtDuplicateObject  ... 176, ) == 0x0
 00789  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57984, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57984, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\14\5\0\0\310\2\0\0" ...  ...
 00788  1068   NtCreateEvent  ... 180, ) == 0x0
 00790  1808   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00787  1796   NtDuplicateObject  ... 184, ) == 0x0
 00771  1856   NtQueryAttributesFile  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00789  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57985, 0}  ... {28, 56, reply, 0, 1292, 1956, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\0\0\0\14\5\0\0\310\2\0\0" )  ) == 0x0
 00790  1808   NtWaitForSingleObject  ... ) == 0x102
 00791  1796   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 00792  1856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 12053560, ... }, 12053560, ...
 00793  1956   NtResumeThread  (164, ...
 00794  1808   NtWaitForSingleObject  (136, 0, 0x0, ...
 00791  1796   NtWaitForSingleObject  ... ) == 0x102
 00792  1856   NtQueryAttributesFile  ... ) == 0x0
 00793  1956   NtResumeThread  ... 1, ) == 0x0
 00795  1796   NtWaitForSingleObject  (136, 0, 0x0, ...
 00796  1068   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 00797   712   NtWaitForSingleObject  (88, 0, 0x0, ...
 00798  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 00796  1068   NtCreateEvent  ... 188, ) == 0x0
 00798  1956   NtAllocateVirtualMemory  ... 22806528, 1048576, ) == 0x0
 00799  1068   NtQuerySystemTime  (...
 00800  1856   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\DNSAPI.dll"}, 5, 96, ... }, 5, 96, ...
 00799  1068   NtQuerySystemTime  ... {1807125538, 29916847}, ) == 0x0
 00800  1856   NtOpenFile  ... 192, {status=0x0, info=1}, ) == 0x0
 00801  1068   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00802  1856   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 192, ...
 00801  1068   NtCreateEvent  ... 196, ) == 0x0
 00802  1856   NtCreateSection  ... 200, ) == 0x0
 00803  1956   NtAllocateVirtualMemory  (-1, 23846912, 0, 8192, 4096, 4, ...
 00804  1856   NtQuerySection  (200, Image, 48, ...
 00803  1956   NtAllocateVirtualMemory  ... 23846912, 8192, ) == 0x0
 00804  1856   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 00805  1956   NtProtectVirtualMemory  (-1, (0x16be000), 4096, 260, ...
 00806  1068   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\Rpc"}, ... }, ...
 00805  1956   NtProtectVirtualMemory  ... (0x16be000), 4096, 4, ) == 0x0
 00806  1068   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00807  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00808  1068   NtQuerySystemInformation  (Performance, 312, ...
 00807  1956   NtCreateThread  ... 204, {1292, 1728}, ) == 0x0
 00808  1068   NtQuerySystemInformation  ... {system info, class 2, size 312}, 0x0, ) == 0x0
 00809  1856   NtClose  (192, ...
 00810  1068   NtQueryInformationProcess  (-1, QuotaLimits, 32, ...
 00809  1856   NtClose  ... ) == 0x0
 00810  1068   NtQueryInformationProcess  ... {process info, class 1, size 32}, 0x0, ) == 0x0
 00811  1856   NtMapViewOfSection  (200, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 00812  1956   NtQueryInformationThread  (204, Basic, 28, ...
 00811  1856   NtMapViewOfSection  ... (0x76f20000), 0x0, 159744, ) == 0x0
 00812  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffac000,Pid=1292,Tid=1728,}, 0x0, ) == 0x0
 00813  1856   NtClose  (200, ...
 00814  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57985, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57985, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\14\5\0\0\300\6\0\0" ...  ...
 00813  1856   NtClose  ... ) == 0x0
 00814  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57986, 0}  ... {28, 56, reply, 0, 1292, 1956, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\0\0\0\14\5\0\0\300\6\0\0" )  ) == 0x0
 00815  1068   NtQueryInformationProcess  (-1, VmCounters, 44, ...
 00816  1956   NtResumeThread  (204, ...
 00815  1068   NtQueryInformationProcess  ... {process info, class 3, size 44}, 0x0, ) == 0x0
 00817  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ...
 00818  1068   NtWaitForSingleObject  (88, 0, 0x0, ...
 00817  1856   NtProtectVirtualMemory  ... (0x76f21000), 4096, 32, ) == 0x0
 00819  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00820  1856   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00821  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00822  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 00816  1956   NtResumeThread  ... 1, ) == 0x0
 00823  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 23855104, 1048576, ) == 0x0
 00824  1956   NtAllocateVirtualMemory  (-1, 24895488, 0, 8192, 4096, 4, ... 24895488, 8192, ) == 0x0
 00825  1956   NtProtectVirtualMemory  (-1, (0x17be000), 4096, 260, ... (0x17be000), 4096, 4, ) == 0x0
 00826  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 200, {1292, 1356}, ) == 0x0
 00827  1956   NtQueryInformationThread  (200, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffab000,Pid=1292,Tid=1356,}, 0x0, ) == 0x0
 00828  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57986, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57986, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\14\5\0\0L\5\0\0" ...  ...
 00822  1856   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 00829  1728   NtWaitForSingleObject  (88, 0, 0x0, ...
 00830  1856   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00831  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00832  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00833  1856   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00834  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00835  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 00828  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57987, 0}  ... {28, 56, reply, 0, 1292, 1956, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\0\0\0\14\5\0\0L\5\0\0" )  ) == 0x0
 00836  1956   NtResumeThread  (200, ... 1, ) == 0x0
 00837  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 24903680, 1048576, ) == 0x0
 00838  1956   NtAllocateVirtualMemory  (-1, 25944064, 0, 8192, 4096, 4, ... 25944064, 8192, ) == 0x0
 00839  1956   NtProtectVirtualMemory  (-1, (0x18be000), 4096, 260, ... (0x18be000), 4096, 4, ) == 0x0
 00840  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 192, {1292, 1536}, ) == 0x0
 00835  1856   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 00841  1356   NtWaitForSingleObject  (88, 0, 0x0, ...
 00842  1856   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00843  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00844  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ... (0x76f21000), 4096, 4, ) == 0x0
 00845  1856   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00846  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 616, 4, ... (0x76f21000), 4096, 32, ) == 0x0
 00847  1856   NtProtectVirtualMemory  (-1, (0x76f21000), 4096, 32, ...
 00848  1956   NtQueryInformationThread  (192, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffaa000,Pid=1292,Tid=1536,}, 0x0, ) == 0x0
 00849  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57987, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\14\5\0\0\0\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\14\5\0\0\0\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57988, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57987, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\14\5\0\0\0\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\0\0\0\14\5\0\0\0\6\0\0" )  ) == 0x0
 00850  1956   NtResumeThread  (192, ... 1, ) == 0x0
 00851  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 25952256, 1048576, ) == 0x0
 00852  1956   NtAllocateVirtualMemory  (-1, 26992640, 0, 8192, 4096, 4, ... 26992640, 8192, ) == 0x0
 00853  1956   NtProtectVirtualMemory  (-1, (0x19be000), 4096, 260, ...
 00847  1856   NtProtectVirtualMemory  ... (0x76f21000), 4096, 4, ) == 0x0
 00854  1536   NtWaitForSingleObject  (88, 0, 0x0, ...
 00855  1856   NtFlushInstructionCache  (-1, 1995575296, 616, ... ) == 0x0
 00856  1856   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00857  1856   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... 208, 2, ) , 0, ... 208, 2, ) == 0x0
 00858  1856   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 00859  1856   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00860  1856   NtQueryValueKey  (212,  (212, "QueryAdapterName", Partial, 144, ... , Partial, 144, ...
 00853  1956   NtProtectVirtualMemory  ... (0x19be000), 4096, 4, ) == 0x0
 00861  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 216, {1292, 444}, ) == 0x0
 00862  1956   NtQueryInformationThread  (216, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa9000,Pid=1292,Tid=444,}, 0x0, ) == 0x0
 00863  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57988, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\14\5\0\0\274\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\14\5\0\0\274\1\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57989, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57988, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\14\5\0\0\274\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\0\0\0\14\5\0\0\274\1\0\0" )  ) == 0x0
 00864  1956   NtResumeThread  (216, ... 1, ) == 0x0
 00865  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 27000832, 1048576, ) == 0x0
 00860  1856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00866   444   NtWaitForSingleObject  (88, 0, 0x0, ...
 00867  1856   NtQueryValueKey  (208,  (208, "DisableAdapterDomainName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00868  1856   NtQueryValueKey  (212,  (212, "UseDomainNameDevolution", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00869  1856   NtQueryValueKey  (208,  (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (208, "UseDomainNameDevolution", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 00870  1856   NtQueryValueKey  (212,  (212, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00871  1856   NtQueryValueKey  (208,  (208, "PrioritizeRecordData", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00872  1856   NtQueryValueKey  (212,  (212, "AllowUnqualifiedQuery", Partial, 144, ... , Partial, 144, ...
 00873  1956   NtAllocateVirtualMemory  (-1, 28041216, 0, 8192, 4096, 4, ... 28041216, 8192, ) == 0x0
 00874  1956   NtProtectVirtualMemory  (-1, (0x1abe000), 4096, 260, ... (0x1abe000), 4096, 4, ) == 0x0
 00875  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 220, {1292, 1904}, ) == 0x0
 00876  1956   NtQueryInformationThread  (220, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa8000,Pid=1292,Tid=1904,}, 0x0, ) == 0x0
 00877  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57989, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\14\5\0\0p\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\14\5\0\0p\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57990, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57989, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\14\5\0\0p\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\0\0\0\14\5\0\0p\7\0\0" )  ) == 0x0
 00878  1956   NtResumeThread  (220, ...
 00872  1856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00879  1856   NtQueryValueKey  (208,  (208, "AllowUnqualifiedQuery", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00880  1856   NtQueryValueKey  (212,  (212, "AppendToMultiLabelName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00881  1856   NtQueryValueKey  (212,  (212, "ScreenBadTlds", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00882  1856   NtQueryValueKey  (212,  (212, "ScreenUnreachableServers", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00883  1856   NtQueryValueKey  (212,  (212, "FilterClusterIp", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00884  1856   NtQueryValueKey  (212,  (212, "WaitForNameErrorOnAll", Partial, 144, ... , Partial, 144, ...
 00878  1956   NtResumeThread  ... 1, ) == 0x0
 00885  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 28049408, 1048576, ) == 0x0
 00886  1956   NtAllocateVirtualMemory  (-1, 29089792, 0, 8192, 4096, 4, ... 29089792, 8192, ) == 0x0
 00887  1956   NtProtectVirtualMemory  (-1, (0x1bbe000), 4096, 260, ... (0x1bbe000), 4096, 4, ) == 0x0
 00888  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 224, {1292, 1936}, ) == 0x0
 00889  1956   NtQueryInformationThread  (224, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa7000,Pid=1292,Tid=1936,}, 0x0, ) == 0x0
 00890  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57990, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57990, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\14\5\0\0\220\7\0\0" ...  ...
 00884  1856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00891  1904   NtWaitForSingleObject  (88, 0, 0x0, ...
 00892  1856   NtQueryValueKey  (212,  (212, "UseEdns", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00893  1856   NtQueryValueKey  (212,  (212, "QueryIpMatching", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00894  1856   NtQueryValueKey  (212,  (212, "UseHostsFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00895  1856   NtQueryValueKey  (212,  (212, "RegistrationEnabled", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00896  1856   NtQueryValueKey  (208,  (208, "DisableDynamicUpdate", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00897  1856   NtQueryValueKey  (212,  (212, "RegisterPrimaryName", Partial, 144, ... , Partial, 144, ...
 00890  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57991, 0}  ... {28, 56, reply, 0, 1292, 1956, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\0\0\0\14\5\0\0\220\7\0\0" )  ) == 0x0
 00898  1956   NtResumeThread  (224, ... 1, ) == 0x0
 00899  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 29097984, 1048576, ) == 0x0
 00900  1956   NtAllocateVirtualMemory  (-1, 30138368, 0, 8192, 4096, 4, ... 30138368, 8192, ) == 0x0
 00901  1956   NtProtectVirtualMemory  (-1, (0x1cbe000), 4096, 260, ... (0x1cbe000), 4096, 4, ) == 0x0
 00902  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 228, {1292, 1648}, ) == 0x0
 00897  1856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00903  1936   NtWaitForSingleObject  (88, 0, 0x0, ...
 00904  1856   NtQueryValueKey  (212,  (212, "RegisterAdapterName", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00905  1856   NtQueryValueKey  (208,  (208, "EnableAdapterDomainNameRegistration", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00906  1856   NtQueryValueKey  (212,  (212, "RegisterReverseLookup", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00907  1856   NtQueryValueKey  (208,  (208, "DisableReverseAddressRegistrations", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00908  1856   NtQueryValueKey  (212,  (212, "RegisterWanAdapters", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00909  1856   NtQueryValueKey  (208,  (208, "DisableWanDynamicUpdate", Partial, 144, ... , Partial, 144, ...
 00910  1956   NtQueryInformationThread  (228, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa6000,Pid=1292,Tid=1648,}, 0x0, ) == 0x0
 00911  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57991, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\14\5\0\0p\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\14\5\0\0p\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57992, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57991, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\14\5\0\0p\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\0\0\0\14\5\0\0p\6\0\0" )  ) == 0x0
 00912  1956   NtResumeThread  (228, ... 1, ) == 0x0
 00913  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 30146560, 1048576, ) == 0x0
 00914  1956   NtAllocateVirtualMemory  (-1, 31186944, 0, 8192, 4096, 4, ... 31186944, 8192, ) == 0x0
 00915  1956   NtProtectVirtualMemory  (-1, (0x1dbe000), 4096, 260, ...
 00909  1856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00916  1648   NtWaitForSingleObject  (88, 0, 0x0, ...
 00917  1856   NtQueryValueKey  (212,  (212, "RegistrationTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00918  1856   NtQueryValueKey  (208,  (208, "DefaultRegistrationTTL", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00919  1856   NtQueryValueKey  (212,  (212, "RegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00920  1856   NtQueryValueKey  (208,  (208, "DefaultRegistrationRefreshInterval", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00921  1856   NtQueryValueKey  (212,  (212, "RegistrationMaxAddressCount", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00922  1856   NtQueryValueKey  (208,  (208, "MaxNumberOfAddressesToRegister", Partial, 144, ... , Partial, 144, ...
 00915  1956   NtProtectVirtualMemory  ... (0x1dbe000), 4096, 4, ) == 0x0
 00923  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 232, {1292, 148}, ) == 0x0
 00924  1956   NtQueryInformationThread  (232, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa5000,Pid=1292,Tid=148,}, 0x0, ) == 0x0
 00925  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57992, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\14\5\0\0\224\0\0\0" ... {28, 56, reply, 0, 1292, 1956, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\14\5\0\0\224\0\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57993, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57992, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\14\5\0\0\224\0\0\0" ... {28, 56, reply, 0, 1292, 1956, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\0\0\0\14\5\0\0\224\0\0\0" )  ) == 0x0
 00926  1956   NtResumeThread  (232, ... 1, ) == 0x0
 00927  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 31195136, 1048576, ) == 0x0
 00922  1856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   148   NtWaitForSingleObject  (88, 0, 0x0, ...
 00929  1856   NtQueryValueKey  (212,  (212, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00930  1856   NtQueryValueKey  (208,  (208, "UpdateSecurityLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00931  1856   NtQueryValueKey  (212,  (212, "UpdateZoneExcludeFile", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00932  1856   NtQueryValueKey  (212,  (212, "UpdateTopLevelDomainZones", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00933  1856   NtQueryValueKey  (212,  (212, "DnsTest", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00934  1856   NtQueryValueKey  (212,  (212, "MaxCacheSize", Partial, 144, ... , Partial, 144, ...
 00935  1956   NtAllocateVirtualMemory  (-1, 32235520, 0, 8192, 4096, 4, ... 32235520, 8192, ) == 0x0
 00936  1956   NtProtectVirtualMemory  (-1, (0x1ebe000), 4096, 260, ... (0x1ebe000), 4096, 4, ) == 0x0
 00937  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 236, {1292, 1828}, ) == 0x0
 00938  1956   NtQueryInformationThread  (236, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa4000,Pid=1292,Tid=1828,}, 0x0, ) == 0x0
 00939  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57993, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\14\5\0\0$\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\14\5\0\0$\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57994, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57993, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\14\5\0\0$\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\0\0\0\14\5\0\0$\7\0\0" )  ) == 0x0
 00940  1956   NtResumeThread  (236, ...
 00934  1856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00941  1856   NtQueryValueKey  (212,  (212, "MaxCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00942  1856   NtQueryValueKey  (212,  (212, "MaxNegativeCacheTtl", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00943  1856   NtQueryValueKey  (212,  (212, "AdapterTimeoutLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00944  1856   NtQueryValueKey  (212,  (212, "ServerPriorityTimeLimit", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00945  1856   NtQueryValueKey  (212,  (212, "MaxCachedSockets", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00946  1856   NtQueryValueKey  (212,  (212, "MulticastListenLevel", Partial, 144, ... , Partial, 144, ...
 00940  1956   NtResumeThread  ... 1, ) == 0x0
 00947  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 32243712, 1048576, ) == 0x0
 00948  1956   NtAllocateVirtualMemory  (-1, 33284096, 0, 8192, 4096, 4, ... 33284096, 8192, ) == 0x0
 00949  1956   NtProtectVirtualMemory  (-1, (0x1fbe000), 4096, 260, ... (0x1fbe000), 4096, 4, ) == 0x0
 00950  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 240, {1292, 1864}, ) == 0x0
 00951  1956   NtQueryInformationThread  (240, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa3000,Pid=1292,Tid=1864,}, 0x0, ) == 0x0
 00952  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57994, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57994, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\14\5\0\0H\7\0\0" ...  ...
 00946  1856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00953  1828   NtWaitForSingleObject  (88, 0, 0x0, ...
 00954  1856   NtQueryValueKey  (212,  (212, "MulticastSendLevel", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00955  1856   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\Setup"}, ... 244, ) }, ... 244, ) == 0x0
 00956  1856   NtQueryValueKey  (244,  (244, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (244, "SystemSetupInProgress", Partial, 144, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 00957  1856   NtClose  (244, ... ) == 0x0
 00958  1856   NtClose  (208, ... ) == 0x0
 00959  1856   NtClose  (212, ...
 00952  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57995, 0}  ... {28, 56, reply, 0, 1292, 1956, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\0\0\0\14\5\0\0H\7\0\0" )  ) == 0x0
 00960  1956   NtResumeThread  (240, ... 1, ) == 0x0
 00961  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 33292288, 1048576, ) == 0x0
 00962  1956   NtAllocateVirtualMemory  (-1, 34332672, 0, 8192, 4096, 4, ... 34332672, 8192, ) == 0x0
 00963  1956   NtProtectVirtualMemory  (-1, (0x20be000), 4096, 260, ... (0x20be000), 4096, 4, ) == 0x0
 00964  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 208, {1292, 1896}, ) == 0x0
 00959  1856   NtClose  ... ) == 0x0
 00965  1864   NtWaitForSingleObject  (88, 0, 0x0, ...
 00966  1856   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... 212, ) }, ... 212, ) == 0x0
 00967  1856   NtQueryValueKey  (212,  (212, "DnsQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00968  1856   NtQueryValueKey  (212,  (212, "DnsQuickQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00969  1856   NtQueryValueKey  (212,  (212, "DnsMulticastQueryTimeouts", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00970  1856   NtClose  (212, ... ) == 0x0
 00971  1856   NtSetEventBoostPriority  (88, ...
 00972  1956   NtQueryInformationThread  (208, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ffa2000,Pid=1292,Tid=1896,}, 0x0, ) == 0x0
 00973  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57995, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\14\5\0\0h\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\14\5\0\0h\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 57996, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57995, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\14\5\0\0h\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\0\0\0\14\5\0\0h\7\0\0" )  ) == 0x0
 00974  1956   NtResumeThread  (208, ... 1, ) == 0x0
 00975  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 34340864, 1048576, ) == 0x0
 00976  1956   NtAllocateVirtualMemory  (-1, 35381248, 0, 8192, 4096, 4, ... 35381248, 8192, ) == 0x0
 00977  1956   NtProtectVirtualMemory  (-1, (0x21be000), 4096, 260, ...
 00797   712   NtWaitForSingleObject  ... ) == 0x0
 00971  1856   NtSetEventBoostPriority  ... ) == 0x0
 00978  1896   NtWaitForSingleObject  (88, 0, 0x0, ...
 00979   712   NtSetEventBoostPriority  (88, ...
 00980  1856   NtWaitForSingleObject  (88, 0, 0x0, ...
 00818  1068   NtWaitForSingleObject  ... ) == 0x0
 00979   712   NtSetEventBoostPriority  ... ) == 0x0
 00981  1068   NtSetEventBoostPriority  (88, ...
 00977  1956   NtProtectVirtualMemory  ... (0x21be000), 4096, 4, ) == 0x0
 00829  1728   NtWaitForSingleObject  ... ) == 0x0
 00981  1068   NtSetEventBoostPriority  ... ) == 0x0
 00982  1728   NtSetEventBoostPriority  (88, ...
 00983  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 00984   712   NtTestAlert  (...
 00841  1356   NtWaitForSingleObject  ... ) == 0x0
 00982  1728   NtSetEventBoostPriority  ... ) == 0x0
 00983  1956   NtCreateThread  ... 212, {1292, 1524}, ) == 0x0
 00985  1356   NtSetEventBoostPriority  (88, ...
 00984   712   NtTestAlert  ... ) == 0x0
 00986  1068   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 00854  1536   NtWaitForSingleObject  ... ) == 0x0
 00985  1356   NtSetEventBoostPriority  ... ) == 0x0
 00987  1956   NtQueryInformationThread  (212, Basic, 28, ...
 00988   712   NtContinue  (22805808, 1, ...
 00989  1536   NtSetEventBoostPriority  (88, ...
 00986  1068   NtCreateEvent  ... 244, ) == 0x0
 00990  1728   NtTestAlert  (...
 00987  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa1000,Pid=1292,Tid=1524,}, 0x0, ) == 0x0
 00866   444   NtWaitForSingleObject  ... ) == 0x0
 00989  1536   NtSetEventBoostPriority  ... ) == 0x0
 00991   712   NtRegisterThreadTerminatePort  (24, ...
 00992  1068   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00990  1728   NtTestAlert  ... ) == 0x0
 00993   444   NtSetEventBoostPriority  (88, ...
 00994  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57996, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57996, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\14\5\0\0\364\5\0\0" ...  ...
 00995  1356   NtTestAlert  (...
 00991   712   NtRegisterThreadTerminatePort  ... ) == 0x0
 00992  1068   NtDuplicateObject  ... 248, ) == 0x0
 00891  1904   NtWaitForSingleObject  ... ) == 0x0
 00993   444   NtSetEventBoostPriority  ... ) == 0x0
 00996  1728   NtContinue  (23854384, 1, ...
 00997  1536   NtTestAlert  (...
 00995  1356   NtTestAlert  ... ) == 0x0
 00998   712   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 00999  1904   NtSetEventBoostPriority  (88, ...
 01000  1068   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Microsoft\Rpc\SecurityService"}, ... }, ...
 00994  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57997, 0}  ... {28, 56, reply, 0, 1292, 1956, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\0\0\0\14\5\0\0\364\5\0\0" )  ) == 0x0
 01001  1728   NtRegisterThreadTerminatePort  (24, ...
 00997  1536   NtTestAlert  ... ) == 0x0
 01002  1356   NtContinue  (24902960, 1, ...
 01003   444   NtTestAlert  (...
 00903  1936   NtWaitForSingleObject  ... ) == 0x0
 00999  1904   NtSetEventBoostPriority  ... ) == 0x0
 01000  1068   NtOpenKey  ... 252, ) == 0x0
 01004  1956   NtResumeThread  (212, ...
 01001  1728   NtRegisterThreadTerminatePort  ... ) == 0x0
 01005  1536   NtContinue  (25951536, 1, ...
 01006  1356   NtRegisterThreadTerminatePort  (24, ...
 01007  1936   NtSetEventBoostPriority  (88, ...
 01003   444   NtTestAlert  ... ) == 0x0
 00998   712   NtDuplicateObject  ... 256, ) == 0x0
 01008  1904   NtTestAlert  (...
 01004  1956   NtResumeThread  ... 1, ) == 0x0
 01009  1728   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01010  1536   NtRegisterThreadTerminatePort  (24, ...
 00916  1648   NtWaitForSingleObject  ... ) == 0x0
 01007  1936   NtSetEventBoostPriority  ... ) == 0x0
 01006  1356   NtRegisterThreadTerminatePort  ... ) == 0x0
 01011   444   NtContinue  (27000112, 1, ...
 01012   712   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01008  1904   NtTestAlert  ... ) == 0x0
 01013  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01014  1068   NtQueryValueKey  (252,  (252, "DefaultAuthLevel", Partial, 144, ... , Partial, 144, ...
 01015  1524   NtWaitForSingleObject  (88, 0, 0x0, ...
 01016  1648   NtSetEventBoostPriority  (88, ...
 01010  1536   NtRegisterThreadTerminatePort  ... ) == 0x0
 01009  1728   NtDuplicateObject  ... 260, ) == 0x0
 01017  1356   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01018   444   NtRegisterThreadTerminatePort  (24, ...
 01012   712   NtWaitForSingleObject  ... ) == 0x102
 01019  1904   NtContinue  (28048688, 1, ...
 01013  1956   NtAllocateVirtualMemory  ... 35389440, 1048576, ) == 0x0
 01014  1068   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 00928   148   NtWaitForSingleObject  ... ) == 0x0
 01016  1648   NtSetEventBoostPriority  ... ) == 0x0
 01020  1536   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01021  1728   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01022  1936   NtTestAlert  (...
 01018   444   NtRegisterThreadTerminatePort  ... ) == 0x0
 01023   712   NtWaitForSingleObject  (136, 0, 0x0, ...
 01024  1904   NtRegisterThreadTerminatePort  (24, ...
 01017  1356   NtDuplicateObject  ... 264, ) == 0x0
 01025   148   NtSetEventBoostPriority  (88, ...
 01026  1068   NtClose  (252, ...
 01027  1956   NtAllocateVirtualMemory  (-1, 36429824, 0, 8192, 4096, 4, ...
 01028  1648   NtTestAlert  (...
 01021  1728   NtWaitForSingleObject  ... ) == 0x102
 01022  1936   NtTestAlert  ... ) == 0x0
 01029   444   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01024  1904   NtRegisterThreadTerminatePort  ... ) == 0x0
 00953  1828   NtWaitForSingleObject  ... ) == 0x0
 01025   148   NtSetEventBoostPriority  ... ) == 0x0
 01030  1356   NtAllocateVirtualMemory  (-1, 1368064, 0, 4096, 4096, 4, ...
 01026  1068   NtClose  ... ) == 0x0
 01027  1956   NtAllocateVirtualMemory  ... 36429824, 8192, ) == 0x0
 01028  1648   NtTestAlert  ... ) == 0x0
 01031  1728   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01032  1936   NtContinue  (29097264, 1, ...
 01020  1536   NtDuplicateObject  ... 252, ) == 0x0
 01033  1828   NtSetEventBoostPriority  (88, ...
 01034  1904   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01029   444   NtDuplicateObject  ... 268, ) == 0x0
 01030  1356   NtAllocateVirtualMemory  ... 1368064, 4096, ) == 0x0
 01035  1068   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01036  1956   NtProtectVirtualMemory  (-1, (0x22be000), 4096, 260, ...
 01037  1648   NtContinue  (30145840, 1, ...
 01031  1728   NtCreateEvent  ... 272, ) == 0x0
 01038  1936   NtRegisterThreadTerminatePort  (24, ...
 00965  1864   NtWaitForSingleObject  ... ) == 0x0
 01033  1828   NtSetEventBoostPriority  ... ) == 0x0
 01039  1536   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01040   148   NtTestAlert  (...
 01041   444   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01042  1356   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01035  1068   NtCreateEvent  ... 276, ) == 0x0
 01036  1956   NtProtectVirtualMemory  ... (0x22be000), 4096, 4, ) == 0x0
 01043  1648   NtRegisterThreadTerminatePort  (24, ...
 01034  1904   NtCreateEvent  ... 280, ) == 0x0
 01044  1864   NtSetEventBoostPriority  (88, ...
 01038  1936   NtRegisterThreadTerminatePort  ... ) == 0x0
 01045  1728   NtWaitForSingleObject  (272, 0, 0x0, ...
 01039  1536   NtCreateEvent  ... 284, ) == 0x0
 01040   148   NtTestAlert  ... ) == 0x0
 01041   444   NtCreateEvent  ... 288, ) == 0x0
 01042  1356   NtCreateEvent  ... 292, ) == 0x0
 01046  1828   NtTestAlert  (...
 01047  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01043  1648   NtRegisterThreadTerminatePort  ... ) == 0x0
 00978  1896   NtWaitForSingleObject  ... ) == 0x0
 01044  1864   NtSetEventBoostPriority  ... ) == 0x0
 01048  1904   NtClose  (280, ...
 01049  1936   NtWaitForSingleObject  (272, 0, 0x0, ...
 01050  1536   NtClose  (284, ...
 01051   148   NtContinue  (31194416, 1, ...
 01052   444   NtClose  (288, ...
 01053  1356   NtClose  (292, ...
 01046  1828   NtTestAlert  ... ) == 0x0
 01047  1956   NtCreateThread  ... 296, {1292, 1944}, ) == 0x0
 01054  1896   NtSetEventBoostPriority  (88, ...
 01055  1648   NtWaitForSingleObject  (272, 0, 0x0, ...
 01056  1068   NtClose  (276, ...
 01048  1904   NtClose  ... ) == 0x0
 01057  1864   NtTestAlert  (...
 01050  1536   NtClose  ... ) == 0x0
 01058   148   NtRegisterThreadTerminatePort  (24, ...
 01052   444   NtClose  ... ) == 0x0
 01059  1828   NtContinue  (32242992, 1, ...
 01053  1356   NtClose  ... ) == 0x0
 00980  1856   NtWaitForSingleObject  ... ) == 0x0
 01054  1896   NtSetEventBoostPriority  ... ) == 0x0
 01060  1956   NtQueryInformationThread  (296, Basic, 28, ...
 01056  1068   NtClose  ... ) == 0x0
 01061  1904   NtWaitForSingleObject  (272, 0, 0x0, ...
 01057  1864   NtTestAlert  ... ) == 0x0
 01062  1536   NtWaitForSingleObject  (272, 0, 0x0, ...
 01058   148   NtRegisterThreadTerminatePort  ... ) == 0x0
 01063   444   NtWaitForSingleObject  (272, 0, 0x0, ...
 01064  1828   NtRegisterThreadTerminatePort  (24, ...
 01065  1856   NtSetEventBoostPriority  (88, ...
 01066  1356   NtSetEventBoostPriority  (272, ...
 01060  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ffa0000,Pid=1292,Tid=1944,}, 0x0, ) == 0x0
 01067  1068   NtWaitForSingleObject  (272, 0, 0x0, ...
 01068  1864   NtContinue  (33291568, 1, ...
 01069  1896   NtTestAlert  (...
 01070   148   NtWaitForSingleObject  (272, 0, 0x0, ...
 01015  1524   NtWaitForSingleObject  ... ) == 0x0
 01065  1856   NtSetEventBoostPriority  ... ) == 0x0
 01064  1828   NtRegisterThreadTerminatePort  ... ) == 0x0
 01045  1728   NtWaitForSingleObject  ... ) == 0x0
 01066  1356   NtSetEventBoostPriority  ... ) == 0x0
 01071  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57997, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57997, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\14\5\0\0\230\7\0\0" ...  ...
 01072  1864   NtRegisterThreadTerminatePort  (24, ...
 01069  1896   NtTestAlert  ... ) == 0x0
 01073  1524   NtTestAlert  (...
 01074  1728   NtSetEventBoostPriority  (272, ...
 01075  1828   NtWaitForSingleObject  (272, 0, 0x0, ...
 01076  1356   NtWaitForSingleObject  (272, 0, 0x0, ...
 01071  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57998, 0}  ... {28, 56, reply, 0, 1292, 1956, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\1\0\0\14\5\0\0\230\7\0\0" )  ) == 0x0
 01072  1864   NtRegisterThreadTerminatePort  ... ) == 0x0
 01073  1524   NtTestAlert  ... ) == 0x0
 01049  1936   NtWaitForSingleObject  ... ) == 0x0
 01074  1728   NtSetEventBoostPriority  ... ) == 0x0
 01077  1896   NtContinue  (34340144, 1, ...
 01078  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 01079  1956   NtResumeThread  (296, ...
 01080  1864   NtWaitForSingleObject  (272, 0, 0x0, ...
 01081  1936   NtSetEventBoostPriority  (272, ...
 01082  1728   NtWaitForSingleObject  (136, 0, 0x0, ...
 01083  1896   NtRegisterThreadTerminatePort  (24, ...
 01084  1524   NtContinue  (35388720, 1, ...
 01079  1956   NtResumeThread  ... 1, ) == 0x0
 01055  1648   NtWaitForSingleObject  ... ) == 0x0
 01081  1936   NtSetEventBoostPriority  ... ) == 0x0
 01085  1944   NtAllocateVirtualMemory  (-1, 8802304, 0, 4096, 4096, 4, ...
 01083  1896   NtRegisterThreadTerminatePort  ... ) == 0x0
 01086  1524   NtRegisterThreadTerminatePort  (24, ...
 01087  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01088  1648   NtSetEventBoostPriority  (272, ...
 01089  1936   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01085  1944   NtAllocateVirtualMemory  ... 8802304, 4096, ) == 0x0
 01090  1896   NtWaitForSingleObject  (272, 0, 0x0, ...
 01086  1524   NtRegisterThreadTerminatePort  ... ) == 0x0
 01087  1956   NtAllocateVirtualMemory  ... 36438016, 1048576, ) == 0x0
 01061  1904   NtWaitForSingleObject  ... ) == 0x0
 01089  1936   NtDuplicateObject  ... 276, ) == 0x0
 01091  1944   NtTestAlert  (...
 01088  1648   NtSetEventBoostPriority  ... ) == 0x0
 01092  1524   NtWaitForSingleObject  (272, 0, 0x0, ...
 01093  1956   NtAllocateVirtualMemory  (-1, 37478400, 0, 8192, 4096, 4, ...
 01094  1904   NtSetEventBoostPriority  (272, ...
 01091  1944   NtTestAlert  ... ) == 0x0
 01095  1648   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01093  1956   NtAllocateVirtualMemory  ... 37478400, 8192, ) == 0x0
 01062  1536   NtWaitForSingleObject  ... ) == 0x0
 01094  1904   NtSetEventBoostPriority  ... ) == 0x0
 01096  1944   NtContinue  (36437296, 1, ...
 01095  1648   NtDuplicateObject  ... 292, ) == 0x0
 01097  1536   NtSetEventBoostPriority  (272, ...
 01098  1956   NtProtectVirtualMemory  (-1, (0x23be000), 4096, 260, ...
 01099  1936   NtWaitForSingleObject  (272, 0, 0x0, ...
 01100  1904   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01101  1944   NtRegisterThreadTerminatePort  (24, ...
 01067  1068   NtWaitForSingleObject  ... ) == 0x0
 01097  1536   NtSetEventBoostPriority  ... ) == 0x0
 01102  1648   NtWaitForSingleObject  (272, 0, 0x0, ...
 01100  1904   NtDuplicateObject  ... 288, ) == 0x0
 01101  1944   NtRegisterThreadTerminatePort  ... ) == 0x0
 01103  1068   NtSetEventBoostPriority  (272, ...
 01104  1536   NtWaitForSingleObject  (272, 0, 0x0, ...
 01105  1904   NtWaitForSingleObject  (272, 0, 0x0, ...
 01106  1944   NtWaitForSingleObject  (272, 0, 0x0, ...
 01063   444   NtWaitForSingleObject  ... ) == 0x0
 01103  1068   NtSetEventBoostPriority  ... ) == 0x0
 01107   444   NtSetEventBoostPriority  (272, ...
 01098  1956   NtProtectVirtualMemory  ... (0x23be000), 4096, 4, ) == 0x0
 01070   148   NtWaitForSingleObject  ... ) == 0x0
 01108  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01109   148   NtSetEventBoostPriority  (272, ...
 01108  1956   NtCreateThread  ... 284, {1292, 2044}, ) == 0x0
 01076  1356   NtWaitForSingleObject  ... ) == 0x0
 01110  1956   NtQueryInformationThread  (284, Basic, 28, ...
 01111  1356   NtSetEventBoostPriority  (272, ...
 01110  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9f000,Pid=1292,Tid=2044,}, 0x0, ) == 0x0
 01075  1828   NtWaitForSingleObject  ... ) == 0x0
 01111  1356   NtSetEventBoostPriority  ... ) == 0x0
 01112  1828   NtSetEventBoostPriority  (272, ...
 01113  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57998, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57998, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\14\5\0\0\374\7\0\0" ...  ...
 01109   148   NtSetEventBoostPriority  ... ) == 0x0
 01107   444   NtSetEventBoostPriority  ... ) == 0x0
 01114  1068   NtOpenThreadToken  (-2, 0xc, 1, ...
 01078  1856   NtWaitForSingleObject  ... ) == 0x0
 01112  1828   NtSetEventBoostPriority  ... ) == 0x0
 01115  1356   NtWaitForSingleObject  (272, 0, 0x0, ...
 01116   148   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01117   444   NtWaitForSingleObject  (272, 0, 0x0, ...
 01114  1068   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01118  1856   NtSetEventBoostPriority  (272, ...
 01119  1828   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01116   148   NtDuplicateObject  ... 280, ) == 0x0
 01120  1068   NtOpenThreadToken  (-2, 0x20008, 1, ...
 01080  1864   NtWaitForSingleObject  ... ) == 0x0
 01118  1856   NtSetEventBoostPriority  ... ) == 0x0
 01119  1828   NtDuplicateObject  ... 300, ) == 0x0
 01113  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 57999, 0}  ... {28, 56, reply, 0, 1292, 1956, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\1\0\0\14\5\0\0\374\7\0\0" )  ) == 0x0
 01121  1864   NtSetEventBoostPriority  (272, ...
 01120  1068   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01122  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 01123   148   NtWaitForSingleObject  (272, 0, 0x0, ...
 01090  1896   NtWaitForSingleObject  ... ) == 0x0
 01124  1956   NtResumeThread  (284, ...
 01125  1068   NtWaitForSingleObject  (272, 0, 0x0, ...
 01121  1864   NtSetEventBoostPriority  ... ) == 0x0
 01126  1828   NtWaitForSingleObject  (272, 0, 0x0, ...
 01127  1896   NtSetEventBoostPriority  (272, ...
 01124  1956   NtResumeThread  ... 1, ) == 0x0
 01128  1864   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01092  1524   NtWaitForSingleObject  ... ) == 0x0
 01129  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01128  1864   NtDuplicateObject  ... 304, ) == 0x0
 01130  1524   NtSetEventBoostPriority  (272, ...
 01129  1956   NtAllocateVirtualMemory  ... 37486592, 1048576, ) == 0x0
 01127  1896   NtSetEventBoostPriority  ... ) == 0x0
 01131  2044   NtTestAlert  (...
 01099  1936   NtWaitForSingleObject  ... ) == 0x0
 01130  1524   NtSetEventBoostPriority  ... ) == 0x0
 01132  1864   NtWaitForSingleObject  (272, 0, 0x0, ...
 01133  1896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01134  1936   NtSetEventBoostPriority  (272, ...
 01131  2044   NtTestAlert  ... ) == 0x0
 01135  1956   NtAllocateVirtualMemory  (-1, 38526976, 0, 8192, 4096, 4, ...
 01102  1648   NtWaitForSingleObject  ... ) == 0x0
 01134  1936   NtSetEventBoostPriority  ... ) == 0x0
 01133  1896   NtDuplicateObject  ... 308, ) == 0x0
 01136  2044   NtContinue  (37485872, 1, ...
 01137  1648   NtSetEventBoostPriority  (272, ...
 01135  1956   NtAllocateVirtualMemory  ... 38526976, 8192, ) == 0x0
 01138  1936   NtWaitForSingleObject  (272, 0, 0x0, ...
 01139  1524   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01104  1536   NtWaitForSingleObject  ... ) == 0x0
 01137  1648   NtSetEventBoostPriority  ... ) == 0x0
 01140  2044   NtRegisterThreadTerminatePort  (24, ...
 01141  1956   NtProtectVirtualMemory  (-1, (0x24be000), 4096, 260, ...
 01142  1896   NtWaitForSingleObject  (272, 0, 0x0, ...
 01143  1536   NtSetEventBoostPriority  (272, ...
 01139  1524   NtDuplicateObject  ... 312, ) == 0x0
 01144  1648   NtWaitForSingleObject  (272, 0, 0x0, ...
 01140  2044   NtRegisterThreadTerminatePort  ... ) == 0x0
 01141  1956   NtProtectVirtualMemory  ... (0x24be000), 4096, 4, ) == 0x0
 01105  1904   NtWaitForSingleObject  ... ) == 0x0
 01143  1536   NtSetEventBoostPriority  ... ) == 0x0
 01145  1524   NtWaitForSingleObject  (272, 0, 0x0, ...
 01146  1904   NtSetEventBoostPriority  (272, ...
 01147  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01148  2044   NtWaitForSingleObject  (272, 0, 0x0, ...
 01106  1944   NtWaitForSingleObject  ... ) == 0x0
 01146  1904   NtSetEventBoostPriority  ... ) == 0x0
 01147  1956   NtCreateThread  ... 316, {1292, 240}, ) == 0x0
 01149  1944   NtSetEventBoostPriority  (272, ...
 01150  1536   NtWaitForSingleObject  (272, 0, 0x0, ...
 01151  1904   NtWaitForSingleObject  (272, 0, 0x0, ...
 01115  1356   NtWaitForSingleObject  ... ) == 0x0
 01149  1944   NtSetEventBoostPriority  ... ) == 0x0
 01152  1356   NtSetEventBoostPriority  (272, ...
 01153  1956   NtQueryInformationThread  (316, Basic, 28, ...
 01117   444   NtWaitForSingleObject  ... ) == 0x0
 01152  1356   NtSetEventBoostPriority  ... ) == 0x0
 01154   444   NtSetEventBoostPriority  (272, ...
 01153  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9e000,Pid=1292,Tid=240,}, 0x0, ) == 0x0
 01123   148   NtWaitForSingleObject  ... ) == 0x0
 01154   444   NtSetEventBoostPriority  ... ) == 0x0
 01155  1356   NtWaitForSingleObject  (272, 0, 0x0, ...
 01156   148   NtSetEventBoostPriority  (272, ...
 01157  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 57999, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 57999, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\14\5\0\0\360\0\0\0" ...  ...
 01158  1944   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01159   444   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01125  1068   NtWaitForSingleObject  ... ) == 0x0
 01156   148   NtSetEventBoostPriority  ... ) == 0x0
 01157  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58000, 0}  ... {28, 56, reply, 0, 1292, 1956, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\1\0\0\14\5\0\0\360\0\0\0" )  ) == 0x0
 01158  1944   NtDuplicateObject  ... 320, ) == 0x0
 01160  1068   NtSetEventBoostPriority  (272, ...
 01159   444   NtCreateEvent  ... 324, ) == 0x0
 01161   148   NtWaitForSingleObject  (272, 0, 0x0, ...
 01162  1956   NtResumeThread  (316, ...
 01126  1828   NtWaitForSingleObject  ... ) == 0x0
 01160  1068   NtSetEventBoostPriority  ... ) == 0x0
 01163  1944   NtWaitForSingleObject  (272, 0, 0x0, ...
 01164   444   NtWaitForSingleObject  (324, 0, 0x0, ...
 01165  1828   NtSetEventBoostPriority  (272, ...
 01162  1956   NtResumeThread  ... 1, ) == 0x0
 01122  1856   NtWaitForSingleObject  ... ) == 0x0
 01165  1828   NtSetEventBoostPriority  ... ) == 0x0
 01166  1856   NtSetEventBoostPriority  (272, ...
 01167  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01132  1864   NtWaitForSingleObject  ... ) == 0x0
 01168  1828   NtWaitForSingleObject  (272, 0, 0x0, ...
 01167  1956   NtAllocateVirtualMemory  ... 38535168, 1048576, ) == 0x0
 01169  1864   NtSetEventBoostPriority  (272, ...
 01166  1856   NtSetEventBoostPriority  ... ) == 0x0
 01170  1068   NtWaitForSingleObject  (324, 0, 0x0, ...
 01171   240   NtTestAlert  (...
 01172  1956   NtAllocateVirtualMemory  (-1, 39575552, 0, 8192, 4096, 4, ...
 01142  1896   NtWaitForSingleObject  ... ) == 0x0
 01169  1864   NtSetEventBoostPriority  ... ) == 0x0
 01173  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 01171   240   NtTestAlert  ... ) == 0x0
 01174  1896   NtSetEventBoostPriority  (272, ...
 01172  1956   NtAllocateVirtualMemory  ... 39575552, 8192, ) == 0x0
 01175  1864   NtWaitForSingleObject  (272, 0, 0x0, ...
 01138  1936   NtWaitForSingleObject  ... ) == 0x0
 01174  1896   NtSetEventBoostPriority  ... ) == 0x0
 01176   240   NtContinue  (38534448, 1, ...
 01177  1956   NtProtectVirtualMemory  (-1, (0x25be000), 4096, 260, ...
 01178  1936   NtSetEventBoostPriority  (272, ...
 01179  1896   NtWaitForSingleObject  (272, 0, 0x0, ...
 01180   240   NtRegisterThreadTerminatePort  (24, ...
 01144  1648   NtWaitForSingleObject  ... ) == 0x0
 01178  1936   NtSetEventBoostPriority  ... ) == 0x0
 01177  1956   NtProtectVirtualMemory  ... (0x25be000), 4096, 4, ) == 0x0
 01180   240   NtRegisterThreadTerminatePort  ... ) == 0x0
 01181  1648   NtSetEventBoostPriority  (272, ...
 01182  1936   NtWaitForSingleObject  (272, 0, 0x0, ...
 01183  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01145  1524   NtWaitForSingleObject  ... ) == 0x0
 01183  1956   NtCreateThread  ... 328, {1292, 968}, ) == 0x0
 01184  1524   NtSetEventBoostPriority  (272, ...
 01185  1956   NtQueryInformationThread  (328, Basic, 28, ...
 01148  2044   NtWaitForSingleObject  ... ) == 0x0
 01184  1524   NtSetEventBoostPriority  ... ) == 0x0
 01186  2044   NtSetEventBoostPriority  (272, ...
 01185  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9d000,Pid=1292,Tid=968,}, 0x0, ) == 0x0
 01181  1648   NtSetEventBoostPriority  ... ) == 0x0
 01187   240   NtWaitForSingleObject  (272, 0, 0x0, ...
 01150  1536   NtWaitForSingleObject  ... ) == 0x0
 01186  2044   NtSetEventBoostPriority  ... ) == 0x0
 01188  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58000, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58000, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\14\5\0\0\310\3\0\0" ...  ...
 01189  1648   NtWaitForSingleObject  (272, 0, 0x0, ...
 01190  1536   NtSetEventBoostPriority  (272, ...
 01191  2044   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01192  1524   NtWaitForSingleObject  (272, 0, 0x0, ...
 01151  1904   NtWaitForSingleObject  ... ) == 0x0
 01190  1536   NtSetEventBoostPriority  ... ) == 0x0
 01188  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58001, 0}  ... {28, 56, reply, 0, 1292, 1956, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\1\0\0\14\5\0\0\310\3\0\0" )  ) == 0x0
 01193  1904   NtSetEventBoostPriority  (272, ...
 01194  1536   NtWaitForSingleObject  (324, 0, 0x0, ...
 01155  1356   NtWaitForSingleObject  ... ) == 0x0
 01193  1904   NtSetEventBoostPriority  ... ) == 0x0
 01195  1956   NtResumeThread  (328, ...
 01191  2044   NtDuplicateObject  ... 332, ) == 0x0
 01196  1356   NtSetEventBoostPriority  (272, ...
 01197  1904   NtWaitForSingleObject  (324, 0, 0x0, ...
 01195  1956   NtResumeThread  ... 1, ) == 0x0
 01161   148   NtWaitForSingleObject  ... ) == 0x0
 01198  2044   NtWaitForSingleObject  (272, 0, 0x0, ...
 01196  1356   NtSetEventBoostPriority  ... ) == 0x0
 01199   968   NtTestAlert  (...
 01200  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01201   148   NtSetEventBoostPriority  (272, ...
 01202  1356   NtSetEventBoostPriority  (324, ...
 01199   968   NtTestAlert  ... ) == 0x0
 01200  1956   NtAllocateVirtualMemory  ... 39583744, 1048576, ) == 0x0
 01163  1944   NtWaitForSingleObject  ... ) == 0x0
 01164   444   NtWaitForSingleObject  ... ) == 0x0
 01202  1356   NtSetEventBoostPriority  ... ) == 0x0
 01203   968   NtContinue  (39583024, 1, ...
 01201   148   NtSetEventBoostPriority  ... ) == 0x0
 01204   444   NtWaitForSingleObject  (272, 0, 0x0, ...
 01205  1944   NtSetEventBoostPriority  (272, ...
 01206  1956   NtAllocateVirtualMemory  (-1, 40624128, 0, 8192, 4096, 4, ...
 01207   968   NtRegisterThreadTerminatePort  (24, ...
 01208   148   NtWaitForSingleObject  (324, 0, 0x0, ...
 01173  1856   NtWaitForSingleObject  ... ) == 0x0
 01205  1944   NtSetEventBoostPriority  ... ) == 0x0
 01206  1956   NtAllocateVirtualMemory  ... 40624128, 8192, ) == 0x0
 01207   968   NtRegisterThreadTerminatePort  ... ) == 0x0
 01209  1856   NtSetEventBoostPriority  (272, ...
 01210  1356   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01211  1956   NtProtectVirtualMemory  (-1, (0x26be000), 4096, 260, ...
 01212  1944   NtWaitForSingleObject  (324, 0, 0x0, ...
 01168  1828   NtWaitForSingleObject  ... ) == 0x0
 01209  1856   NtSetEventBoostPriority  ... ) == 0x0
 01210  1356   NtWaitForSingleObject  ... ) == 0x102
 01211  1956   NtProtectVirtualMemory  ... (0x26be000), 4096, 4, ) == 0x0
 01213  1828   NtSetEventBoostPriority  (272, ...
 01214   968   NtWaitForSingleObject  (272, 0, 0x0, ...
 01215  1356   NtWaitForSingleObject  (136, 0, 0x0, ...
 01175  1864   NtWaitForSingleObject  ... ) == 0x0
 01216  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01217  1864   NtSetEventBoostPriority  (272, ...
 01216  1956   NtCreateThread  ... 336, {1292, 308}, ) == 0x0
 01179  1896   NtWaitForSingleObject  ... ) == 0x0
 01217  1864   NtSetEventBoostPriority  ... ) == 0x0
 01213  1828   NtSetEventBoostPriority  ... ) == 0x0
 01218  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 01219  1896   NtSetEventBoostPriority  (272, ...
 01220  1864   NtWaitForSingleObject  (324, 0, 0x0, ...
 01221  1828   NtWaitForSingleObject  (324, 0, 0x0, ...
 01182  1936   NtWaitForSingleObject  ... ) == 0x0
 01222  1936   NtSetEventBoostPriority  (272, ...
 01187   240   NtWaitForSingleObject  ... ) == 0x0
 01223   240   NtAllocateVirtualMemory  (-1, 1372160, 0, 4096, 4096, 4, ... 1372160, 4096, ) == 0x0
 01224   240   NtSetEventBoostPriority  (272, ...
 01222  1936   NtSetEventBoostPriority  ... ) == 0x0
 01219  1896   NtSetEventBoostPriority  ... ) == 0x0
 01225  1956   NtQueryInformationThread  (336, Basic, 28, ...
 01189  1648   NtWaitForSingleObject  ... ) == 0x0
 01224   240   NtSetEventBoostPriority  ... ) == 0x0
 01226  1896   NtWaitForSingleObject  (324, 0, 0x0, ...
 01225  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9c000,Pid=1292,Tid=308,}, 0x0, ) == 0x0
 01227  1648   NtSetEventBoostPriority  (272, ...
 01228   240   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01229  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58001, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58001, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\14\5\0\04\1\0\0" ...  ...
 01192  1524   NtWaitForSingleObject  ... ) == 0x0
 01227  1648   NtSetEventBoostPriority  ... ) == 0x0
 01228   240   NtDuplicateObject  ... 340, ) == 0x0
 01230  1524   NtSetEventBoostPriority  (272, ...
 01229  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58002, 0}  ... {28, 56, reply, 0, 1292, 1956, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\1\0\0\14\5\0\04\1\0\0" )  ) == 0x0
 01231  1936   NtWaitForSingleObject  (324, 0, 0x0, ...
 01198  2044   NtWaitForSingleObject  ... ) == 0x0
 01230  1524   NtSetEventBoostPriority  ... ) == 0x0
 01232   240   NtWaitForSingleObject  (272, 0, 0x0, ...
 01233  1956   NtResumeThread  (336, ...
 01234  2044   NtSetEventBoostPriority  (272, ...
 01235  1524   NtWaitForSingleObject  (324, 0, 0x0, ...
 01236  1648   NtWaitForSingleObject  (324, 0, 0x0, ...
 01204   444   NtWaitForSingleObject  ... ) == 0x0
 01234  2044   NtSetEventBoostPriority  ... ) == 0x0
 01233  1956   NtResumeThread  ... 1, ) == 0x0
 01237   444   NtSetEventBoostPriority  (272, ...
 01238   308   NtTestAlert  (...
 01214   968   NtWaitForSingleObject  ... ) == 0x0
 01237   444   NtSetEventBoostPriority  ... ) == 0x0
 01239  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01240   968   NtSetEventBoostPriority  (272, ...
 01238   308   NtTestAlert  ... ) == 0x0
 01241  2044   NtWaitForSingleObject  (324, 0, 0x0, ...
 01218  1856   NtWaitForSingleObject  ... ) == 0x0
 01240   968   NtSetEventBoostPriority  ... ) == 0x0
 01239  1956   NtAllocateVirtualMemory  ... 40632320, 1048576, ) == 0x0
 01242   308   NtContinue  (40631600, 1, ...
 01243  1856   NtSetEventBoostPriority  (272, ...
 01244   968   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01245  1956   NtAllocateVirtualMemory  (-1, 41672704, 0, 8192, 4096, 4, ...
 01232   240   NtWaitForSingleObject  ... ) == 0x0
 01243  1856   NtSetEventBoostPriority  ... ) == 0x0
 01246   308   NtRegisterThreadTerminatePort  (24, ...
 01247   444   NtSetEventBoostPriority  (324, ...
 01248   240   NtWaitForSingleObject  (324, 0, 0x0, ...
 01245  1956   NtAllocateVirtualMemory  ... 41672704, 8192, ) == 0x0
 01249  1856   NtCreateEvent  (0x1f0003, 0x0, 0, 0, ...
 01246   308   NtRegisterThreadTerminatePort  ... ) == 0x0
 01170  1068   NtWaitForSingleObject  ... ) == 0x0
 01247   444   NtSetEventBoostPriority  ... ) == 0x0
 01250  1956   NtProtectVirtualMemory  (-1, (0x27be000), 4096, 260, ...
 01244   968   NtDuplicateObject  ... 344, ) == 0x0
 01249  1856   NtCreateEvent  ... 348, ) == 0x0
 01251  1068   NtSetEventBoostPriority  (324, ...
 01252   444   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01253   308   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01254   968   NtWaitForSingleObject  (324, 0, 0x0, ...
 01194  1536   NtWaitForSingleObject  ... ) == 0x0
 01251  1068   NtSetEventBoostPriority  ... ) == 0x0
 01255  1856   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01252   444   NtWaitForSingleObject  ... ) == 0x102
 01253   308   NtDuplicateObject  ... 352, ) == 0x0
 01256  1536   NtSetEventBoostPriority  (324, ...
 01257  1068   NtWaitForSingleObject  (324, 0, 0x0, ...
 01255  1856   NtDuplicateObject  ... 356, ) == 0x0
 01258   444   NtWaitForSingleObject  (136, 0, 0x0, ...
 01197  1904   NtWaitForSingleObject  ... ) == 0x0
 01259   308   NtWaitForSingleObject  (324, 0, 0x0, ...
 01256  1536   NtSetEventBoostPriority  ... ) == 0x0
 01250  1956   NtProtectVirtualMemory  ... (0x27be000), 4096, 4, ) == 0x0
 01260  1856   NtWaitForSingleObject  (324, 0, 0x0, ...
 01261  1904   NtSetEventBoostPriority  (324, ...
 01262  1536   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01263  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01208   148   NtWaitForSingleObject  ... ) == 0x0
 01263  1956   NtCreateThread  ... 360, {1292, 764}, ) == 0x0
 01264   148   NtSetEventBoostPriority  (324, ...
 01265  1956   NtQueryInformationThread  (360, Basic, 28, ...
 01212  1944   NtWaitForSingleObject  ... ) == 0x0
 01264   148   NtSetEventBoostPriority  ... ) == 0x0
 01266  1944   NtSetEventBoostPriority  (324, ...
 01265  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9b000,Pid=1292,Tid=764,}, 0x0, ) == 0x0
 01261  1904   NtSetEventBoostPriority  ... ) == 0x0
 01262  1536   NtWaitForSingleObject  ... ) == 0x102
 01220  1864   NtWaitForSingleObject  ... ) == 0x0
 01266  1944   NtSetEventBoostPriority  ... ) == 0x0
 01267  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58002, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58002, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\14\5\0\0\374\2\0\0" ...  ...
 01268  1904   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01269  1864   NtSetEventBoostPriority  (324, ...
 01270  1536   NtWaitForSingleObject  (136, 0, 0x0, ...
 01271  1944   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01272   148   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01221  1828   NtWaitForSingleObject  ... ) == 0x0
 01269  1864   NtSetEventBoostPriority  ... ) == 0x0
 01267  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58003, 0}  ... {28, 56, reply, 0, 1292, 1956, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\1\0\0\14\5\0\0\374\2\0\0" )  ) == 0x0
 01268  1904   NtWaitForSingleObject  ... ) == 0x102
 01273  1828   NtSetEventBoostPriority  (324, ...
 01272   148   NtWaitForSingleObject  ... ) == 0x102
 01271  1944   NtWaitForSingleObject  ... ) == 0x102
 01274  1956   NtResumeThread  (360, ...
 01226  1896   NtWaitForSingleObject  ... ) == 0x0
 01273  1828   NtSetEventBoostPriority  ... ) == 0x0
 01275  1904   NtWaitForSingleObject  (136, 0, 0x0, ...
 01276   148   NtWaitForSingleObject  (136, 0, 0x0, ...
 01277  1944   NtWaitForSingleObject  (136, 0, 0x0, ...
 01278  1896   NtSetEventBoostPriority  (324, ...
 01274  1956   NtResumeThread  ... 1, ) == 0x0
 01279  1864   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01231  1936   NtWaitForSingleObject  ... ) == 0x0
 01278  1896   NtSetEventBoostPriority  ... ) == 0x0
 01280  1936   NtSetEventBoostPriority  (324, ...
 01279  1864   NtWaitForSingleObject  ... ) == 0x102
 01281  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01282  1828   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01283   764   NtTestAlert  (...
 01236  1648   NtWaitForSingleObject  ... ) == 0x0
 01280  1936   NtSetEventBoostPriority  ... ) == 0x0
 01284  1864   NtWaitForSingleObject  (136, 0, 0x0, ...
 01281  1956   NtAllocateVirtualMemory  ... 41680896, 1048576, ) == 0x0
 01282  1828   NtWaitForSingleObject  ... ) == 0x102
 01285  1648   NtSetEventBoostPriority  (324, ...
 01283   764   NtTestAlert  ... ) == 0x0
 01286  1936   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01287  1956   NtAllocateVirtualMemory  (-1, 42721280, 0, 8192, 4096, 4, ...
 01235  1524   NtWaitForSingleObject  ... ) == 0x0
 01285  1648   NtSetEventBoostPriority  ... ) == 0x0
 01288  1828   NtWaitForSingleObject  (136, 0, 0x0, ...
 01289   764   NtContinue  (41680176, 1, ...
 01290  1896   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01291  1524   NtSetEventBoostPriority  (324, ...
 01287  1956   NtAllocateVirtualMemory  ... 42721280, 8192, ) == 0x0
 01292  1648   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01293   764   NtRegisterThreadTerminatePort  (24, ...
 01241  2044   NtWaitForSingleObject  ... ) == 0x0
 01290  1896   NtWaitForSingleObject  ... ) == 0x102
 01294  1956   NtProtectVirtualMemory  (-1, (0x28be000), 4096, 260, ...
 01291  1524   NtSetEventBoostPriority  ... ) == 0x0
 01286  1936   NtWaitForSingleObject  ... ) == 0x102
 01293   764   NtRegisterThreadTerminatePort  ... ) == 0x0
 01295  2044   NtSetEventBoostPriority  (324, ...
 01296  1896   NtWaitForSingleObject  (136, 0, 0x0, ...
 01294  1956   NtProtectVirtualMemory  ... (0x28be000), 4096, 4, ) == 0x0
 01297  1524   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01298  1936   NtWaitForSingleObject  (136, 0, 0x0, ...
 01292  1648   NtWaitForSingleObject  ... ) == 0x102
 01248   240   NtWaitForSingleObject  ... ) == 0x0
 01295  2044   NtSetEventBoostPriority  ... ) == 0x0
 01299   764   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01300   240   NtSetEventBoostPriority  (324, ...
 01301  1648   NtWaitForSingleObject  (136, 0, 0x0, ...
 01302  2044   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01254   968   NtWaitForSingleObject  ... ) == 0x0
 01300   240   NtSetEventBoostPriority  ... ) == 0x0
 01299   764   NtDuplicateObject  ... 364, ) == 0x0
 01303  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01297  1524   NtWaitForSingleObject  ... ) == 0x102
 01304   968   NtSetEventBoostPriority  (324, ...
 01302  2044   NtWaitForSingleObject  ... ) == 0x102
 01305   764   NtWaitForSingleObject  (324, 0, 0x0, ...
 01303  1956   NtCreateThread  ... 368, {1292, 2000}, ) == 0x0
 01257  1068   NtWaitForSingleObject  ... ) == 0x0
 01304   968   NtSetEventBoostPriority  ... ) == 0x0
 01306  1524   NtWaitForSingleObject  (136, 0, 0x0, ...
 01307  2044   NtWaitForSingleObject  (136, 0, 0x0, ...
 01308  1068   NtSetEventBoostPriority  (324, ...
 01309  1956   NtQueryInformationThread  (368, Basic, 28, ...
 01310   240   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01259   308   NtWaitForSingleObject  ... ) == 0x0
 01309  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff9a000,Pid=1292,Tid=2000,}, 0x0, ) == 0x0
 01310   240   NtWaitForSingleObject  ... ) == 0x102
 01311   308   NtSetEventBoostPriority  (324, ...
 01312  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58003, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58003, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\14\5\0\0\320\7\0\0" ...  ...
 01313   240   NtWaitForSingleObject  (136, 0, 0x0, ...
 01260  1856   NtWaitForSingleObject  ... ) == 0x0
 01311   308   NtSetEventBoostPriority  ... ) == 0x0
 01314  1856   NtSetEventBoostPriority  (324, ...
 01308  1068   NtSetEventBoostPriority  ... ) == 0x0
 01315   968   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01312  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58004, 0}  ... {28, 56, reply, 0, 1292, 1956, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\1\0\0\14\5\0\0\320\7\0\0" )  ) == 0x0
 01305   764   NtWaitForSingleObject  ... ) == 0x0
 01314  1856   NtSetEventBoostPriority  ... ) == 0x0
 01316  1068   NtWaitForSingleObject  (324, 0, 0x0, ...
 01315   968   NtWaitForSingleObject  ... ) == 0x102
 01317   764   NtSetEventBoostPriority  (324, ...
 01318  1956   NtResumeThread  (368, ...
 01319   308   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01316  1068   NtWaitForSingleObject  ... ) == 0x0
 01317   764   NtSetEventBoostPriority  ... ) == 0x0
 01320   968   NtWaitForSingleObject  (136, 0, 0x0, ...
 01318  1956   NtResumeThread  ... 1, ) == 0x0
 01321  1068   NtAllocateVirtualMemory  (-1, 1376256, 0, 4096, 4096, 4, ...
 01319   308   NtWaitForSingleObject  ... ) == 0x102
 01322  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 01323  2000   NtTestAlert  (...
 01321  1068   NtAllocateVirtualMemory  ... 1376256, 4096, ) == 0x0
 01324  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01325   308   NtWaitForSingleObject  (272, 0, 0x0, ...
 01323  2000   NtTestAlert  ... ) == 0x0
 01326   764   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01324  1956   NtAllocateVirtualMemory  ... 42729472, 1048576, ) == 0x0
 01327  2000   NtContinue  (42728752, 1, ...
 01326   764   NtWaitForSingleObject  ... ) == 0x102
 01328  1956   NtAllocateVirtualMemory  (-1, 43769856, 0, 8192, 4096, 4, ...
 01329  2000   NtRegisterThreadTerminatePort  (24, ...
 01330   764   NtWaitForSingleObject  (272, 0, 0x0, ...
 01331  1068   NtSetEventBoostPriority  (272, ...
 01329  2000   NtRegisterThreadTerminatePort  ... ) == 0x0
 01322  1856   NtWaitForSingleObject  ... ) == 0x0
 01331  1068   NtSetEventBoostPriority  ... ) == 0x0
 01328  1956   NtAllocateVirtualMemory  ... 43769856, 8192, ) == 0x0
 01332  1856   NtSetEventBoostPriority  (272, ...
 01333  1068   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\mswsock.dll"}, 11006064, ... }, 11006064, ...
 01325   308   NtWaitForSingleObject  ... ) == 0x0
 01332  1856   NtSetEventBoostPriority  ... ) == 0x0
 01334  1956   NtProtectVirtualMemory  (-1, (0x29be000), 4096, 260, ...
 01335   308   NtSetEventBoostPriority  (272, ...
 01333  1068   NtQueryAttributesFile  ... ) == 0x0
 01336  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 01330   764   NtWaitForSingleObject  ... ) == 0x0
 01335   308   NtSetEventBoostPriority  ... ) == 0x0
 01334  1956   NtProtectVirtualMemory  ... (0x29be000), 4096, 4, ) == 0x0
 01337  1068   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "SYSTEM\CurrentControlSet\Services\Winsock\Parameters"}, ... }, ...
 01338  2000   NtWaitForSingleObject  (272, 0, 0x0, ...
 01339   764   NtSetEventBoostPriority  (272, ...
 01340  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01337  1068   NtOpenKey  ... 372, ) == 0x0
 01336  1856   NtWaitForSingleObject  ... ) == 0x0
 01339   764   NtSetEventBoostPriority  ... ) == 0x0
 01340  1956   NtCreateThread  ... 376, {1292, 1852}, ) == 0x0
 01341   308   NtWaitForSingleObject  (136, 0, 0x0, ...
 01342  1856   NtSetEventBoostPriority  (272, ...
 01343  1068   NtQueryValueKey  (372,  (372, "Transports", Partial, 144, ... , Partial, 144, ...
 01344  1956   NtQueryInformationThread  (376, Basic, 28, ...
 01338  2000   NtWaitForSingleObject  ... ) == 0x0
 01343  1068   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01344  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff99000,Pid=1292,Tid=1852,}, 0x0, ) == 0x0
 01345  2000   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01346  1068   NtQueryValueKey  (372,  (372, "Transports", Partial, 144, ... , Partial, 144, ...
 01347  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58004, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58004, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\14\5\0\0<\7\0\0" ...  ...
 01345  2000   NtDuplicateObject  ... 380, ) == 0x0
 01346  1068   NtQueryValueKey  ... TitleIdx=0, Type=7, Data= ... TitleIdx=0, Type=7, Data="T\0c\0p\0i\0p\0\0\0N\0e\0t\0B\0I\0O\0S\0\0\0R\0F\0C\0O\0M\0M\0\0\0\0\0"}, 56, ) }, 56, ) == 0x0
 01347  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58005, 0}  ... {28, 56, reply, 0, 1292, 1956, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\1\0\0\14\5\0\0<\7\0\0" )  ) == 0x0
 01348  2000   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01349  1068   NtClose  (372, ...
 01342  1856   NtSetEventBoostPriority  ... ) == 0x0
 01350   764   NtWaitForSingleObject  (136, 0, 0x0, ...
 01351  1956   NtResumeThread  (376, ...
 01349  1068   NtClose  ... ) == 0x0
 01352  1856   NtOpenFile  (0x100001, {24, 0, 0x40, 0, 0,  (0x100001, {24, 0, 0x40, 0, 0, "\Device\KsecDD"}, 7, 16, ... }, 7, 16, ...
 01351  1956   NtResumeThread  ... 1, ) == 0x0
 01348  2000   NtWaitForSingleObject  ... ) == 0x102
 01352  1856   NtOpenFile  ... 372, {status=0x0, info=0}, ) == 0x0
 01353  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01354  2000   NtWaitForSingleObject  (136, 0, 0x0, ...
 01355  1068   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01356  1852   NtTestAlert  (...
 01353  1956   NtAllocateVirtualMemory  ... 43778048, 1048576, ) == 0x0
 01355  1068   NtOpenKey  ... 384, ) == 0x0
 01356  1852   NtTestAlert  ... ) == 0x0
 01357  1956   NtAllocateVirtualMemory  (-1, 44818432, 0, 8192, 4096, 4, ...
 01358  1068   NtQueryValueKey  (384,  (384, "Mapping", Partial, 144, ... , Partial, 144, ...
 01359  1852   NtContinue  (43777328, 1, ...
 01357  1956   NtAllocateVirtualMemory  ... 44818432, 8192, ) == 0x0
 01358  1068   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01360  1852   NtRegisterThreadTerminatePort  (24, ...
 01361  1856   NtDeviceIoControlFile  (372, 0, 0x0, 0x0, 0x390008,  (372, 0, 0x0, 0x0, 0x390008, "A\275\14L\13\7\211c\325l\237\242dOc>\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01362  1068   NtQueryValueKey  (384,  (384, "Mapping", Partial, 144, ... , Partial, 144, ...
 01360  1852   NtRegisterThreadTerminatePort  ... ) == 0x0
 01363  1856   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01362  1068   NtQueryValueKey  ... ) == STATUS_BUFFER_OVERFLOW
 01364  1956   NtProtectVirtualMemory  (-1, (0x2abe000), 4096, 260, ...
 01363  1856   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01365  1852   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01364  1956   NtProtectVirtualMemory  ... (0x2abe000), 4096, 4, ) == 0x0
 01366  1856   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01365  1852   NtDuplicateObject  ... 388, ) == 0x0
 01367  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01366  1856   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01368  1852   NtAllocateVirtualMemory  (-1, 1380352, 0, 4096, 4096, 4, ...
 01367  1956   NtCreateThread  ... 392, {1292, 1420}, ) == 0x0
 01369  1856   NtQuerySystemInformation  (Performance, 312, ...
 01368  1852   NtAllocateVirtualMemory  ... 1380352, 4096, ) == 0x0
 01370  1956   NtQueryInformationThread  (392, Basic, 28, ...
 01371  1068   NtWaitForSingleObject  (272, 0, 0x0, ...
 01372  1852   NtSetEventBoostPriority  (272, ...
 01370  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff98000,Pid=1292,Tid=1420,}, 0x0, ) == 0x0
 01371  1068   NtWaitForSingleObject  ... ) == 0x0
 01372  1852   NtSetEventBoostPriority  ... ) == 0x0
 01369  1856   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01373  1068   NtQueryValueKey  (384,  (384, "Mapping", Partial, 152, ... , Partial, 152, ...
 01374  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58005, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58005, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\14\5\0\0\214\5\0\0" ...  ...
 01373  1068   NtQueryValueKey  ... TitleIdx=0, Type=3, Data= ... TitleIdx=0, Type=3, Data="\13\0\0\0\3\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\1\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\0\0\0\0\1\0\0\0\6\0\0\0\2\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\2\0\0\0\0\0\0\0\2\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0\21\0\0\0\0\0\0\0\2\0\0\0\21\0\0\0\2\0\0\0\3\0\0\0\0\0\0\0"}, 152, ) }, 152, ) == 0x0
 01375  1856   NtQuerySystemInformation  (Exception, 16, ...
 01376  1068   NtClose  (384, ...
 01374  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58006, 0}  ... {28, 56, reply, 0, 1292, 1956, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\1\0\0\14\5\0\0\214\5\0\0" )  ) == 0x0
 01375  1856   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01377  1852   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01378  1956   NtResumeThread  (392, ...
 01379  1856   NtQuerySystemInformation  (Lookaside, 32, ...
 01377  1852   NtWaitForSingleObject  ... ) == 0x102
 01378  1956   NtResumeThread  ... 1, ) == 0x0
 01379  1856   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01380  1852   NtWaitForSingleObject  (136, 0, 0x0, ...
 01381  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01382  1856   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01376  1068   NtClose  ... ) == 0x0
 01383  1420   NtTestAlert  (...
 01381  1956   NtAllocateVirtualMemory  ... 44826624, 1048576, ) == 0x0
 01384  1068   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters\Winsock"}, ... }, ...
 01383  1420   NtTestAlert  ... ) == 0x0
 01385  1956   NtAllocateVirtualMemory  (-1, 45867008, 0, 8192, 4096, 4, ...
 01384  1068   NtOpenKey  ... 384, ) == 0x0
 01386  1420   NtContinue  (44825904, 1, ...
 01385  1956   NtAllocateVirtualMemory  ... 45867008, 8192, ) == 0x0
 01387  1068   NtQueryValueKey  (384,  (384, "MinSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01388  1420   NtRegisterThreadTerminatePort  (24, ...
 01389  1956   NtProtectVirtualMemory  (-1, (0x2bbe000), 4096, 260, ...
 01387  1068   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01388  1420   NtRegisterThreadTerminatePort  ... ) == 0x0
 01389  1956   NtProtectVirtualMemory  ... (0x2bbe000), 4096, 4, ) == 0x0
 01390  1068   NtQueryValueKey  (384,  (384, "MaxSockaddrLength", Partial, 144, ... , Partial, 144, ...
 01382  1856   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01391  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01392  1420   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01393  1856   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01390  1068   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\20\0\0\0"}, 16, ) }, 16, ) == 0x0
 01392  1420   NtDuplicateObject  ... 396, ) == 0x0
 01393  1856   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01394  1068   NtQueryValueKey  (384,  (384, "UseDelayedAcceptance", Partial, 144, ... , Partial, 144, ...
 01395  1420   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01396  1856   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01394  1068   NtQueryValueKey  ... TitleIdx=0, Type=4, Data= ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0
 01395  1420   NtWaitForSingleObject  ... ) == 0x102
 01396  1856   NtCreateKey  ... -2147482584, 2, ) == 0x0
 01397  1068   NtQueryValueKey  (384,  (384, "HelperDllName", Partial, 144, ... , Partial, 144, ...
 01398  1420   NtWaitForSingleObject  (136, 0, 0x0, ...
 01399  1856   NtSetValueKey  (-2147482584,  (-2147482584, "Seed", 0, 3, "Q\24\236\3141\333XOl\357Z\343\340'\23n\11g\307\325\336\252o\234Z\370@\264\324\266\270S\277Z\274\225\230\33\306~`+\255\375qHU\33\236\357\361\212d\326NW\26=X\341U\26\315\23\27!\242\306\275 V\331[s.O\331\270\365\207", 80, ... , 0, 3,  (-2147482584, "Seed", 0, 3, "Q\24\236\3141\333XOl\357Z\343\340'\23n\11g\307\325\336\252o\234Z\370@\264\324\266\270S\277Z\274\225\230\33\306~`+\255\375qHU\33\236\357\361\212d\326NW\26=X\341U\26\315\23\27!\242\306\275 V\331[s.O\331\270\365\207", 80, ... , 80, ...
 01397  1068   NtQueryValueKey  ... TitleIdx=0, Type=2, Data= ... TitleIdx=0, Type=2, Data="%\0S\0y\0s\0t\0e\0m\0R\0o\0o\0t\0%\0\\0S\0y\0s\0t\0e\0m\03\02\0\\0w\0s\0h\0t\0c\0p\0i\0p\0.\0d\0l\0l\0\0\0"}, 82, ) }, 82, ) == 0x0
 01391  1956   NtCreateThread  ... 400, {1292, 164}, ) == 0x0
 01400  1068   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007020, ... }, 11007020, ...
 01401  1956   NtQueryInformationThread  (400, Basic, 28, ...
 01399  1856   NtSetValueKey  ... ) == 0x0
 01401  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff97000,Pid=1292,Tid=164,}, 0x0, ) == 0x0
 01402  1856   NtClose  (-2147482584, ...
 01403  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58006, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58006, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\14\5\0\0\244\0\0\0" ...  ...
 01402  1856   NtClose  ... ) == 0x0
 01403  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58007, 0}  ... {28, 56, reply, 0, 1292, 1956, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\1\0\0\14\5\0\0\244\0\0\0" )  ) == 0x0
 01361  1856   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\334"\27N\30ou\14\223\33\246F\343\350\33$\251\31\11|s\204\13v\225\330\370\301/\372T\246\273Ak4\207\247t\\300\271F84HV\241\376xv\352\3#\347\223\355\313\308\374\0\3728\10X\340\7O\251_\235\260\217_[2\316\257q\375~|\333q\343\326\245\247R`\302Iza\254"!\4\313[\351v[\351H\342\353\266\226\353\210\+%[\304H\374\233`\21\316\223\202\323q\331\32S\216S\16\350|\334\11@\346\351\3534\30\253\256$\216!\327\356\235M;\1\335\341p@y+\326\306\212\200Yw:\224qTVhI\274jI\13\347W \343\220maf\376\336\201\224\334\200n\377\317\271\3\314\2238w\236\206\341\264\360\347\300=\237`\262\217\310A\271\242\23\357\2721\16\11\254\323k|.Ms\242\306\334\17O\301\212(\342\241\250\205[\372\344)\345\254,|\327I=\315z", ) \27N\30ou\14\223\33\246F\343\350\33$\251\31\11|s\204\13v\225\330\370\301/\372T\246\273Ak4\207\247t\\300\271F84HV\241\376xv\352\3#\347\223\355\313\308\374\0\3728\10X\340\7O\251_\235\260\217_[2\316\257q\375~|\333q\343\326\245\247R`\302Iza\254 ... {status=0x0, info=256}, "\334"\27N\30ou\14\223\33\246F\343\350\33$\251\31\11|s\204\13v\225\330\370\301/\372T\246\273Ak4\207\247t\\300\271F84HV\241\376xv\352\3#\347\223\355\313\308\374\0\3728\10X\340\7O\251_\235\260\217_[2\316\257q\375~|\333q\343\326\245\247R`\302Iza\254"!\4\313[\351v[\351H\342\353\266\226\353\210\+%[\304H\374\233`\21\316\223\202\323q\331\32S\216S\16\350|\334\11@\346\351\3534\30\253\256$\216!\327\356\235M;\1\335\341p@y+\326\306\212\200Yw:\224qTVhI\274jI\13\347W \343\220maf\376\336\201\224\334\200n\377\317\271\3\314\2238w\236\206\341\264\360\347\300=\237`\262\217\310A\271\242\23\357\2721\16\11\254\323k|.Ms\242\306\334\17O\301\212(\342\241\250\205[\372\344)\345\254,|\327I=\315z", ) , ) == 0x0
 01400  1068   NtQueryAttributesFile  ... ) == 0x0
 01404  1856   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01405  1068   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01404  1856   NtCreateEvent  ... 404, ) == 0x0
 01405  1068   NtOpenFile  ... 408, {status=0x0, info=1}, ) == 0x0
 01406  1956   NtResumeThread  (400, ...
 01407  1068   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 408, ...
 01406  1956   NtResumeThread  ... 1, ) == 0x0
 01407  1068   NtCreateSection  ... 412, ) == 0x0
 01408  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01409  1068   NtClose  (408, ...
 01408  1956   NtAllocateVirtualMemory  ... 45875200, 1048576, ) == 0x0
 01410  1856   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12054020, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12054020, 188, ...
 01411   164   NtWaitForSingleObject  (88, 0, 0x0, ...
 01412  1956   NtAllocateVirtualMemory  (-1, 46915584, 0, 8192, 4096, 4, ... 46915584, 8192, ) == 0x0
 01410  1856   NtConnectPort  ... 416, 0x0, 0x0, 0x0, 188, ) == 0x0
 01409  1068   NtClose  ... ) == 0x0
 01413  1956   NtProtectVirtualMemory  (-1, (0x2cbe000), 4096, 260, ...
 01414  1068   NtMapViewOfSection  (412, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01413  1956   NtProtectVirtualMemory  ... (0x2cbe000), 4096, 4, ) == 0x0
 01414  1068   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 01415  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01416  1068   NtClose  (412, ...
 01415  1956   NtCreateThread  ... 408, {1292, 1564}, ) == 0x0
 01416  1068   NtClose  ... ) == 0x0
 01417  1956   NtQueryInformationThread  (408, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff96000,Pid=1292,Tid=1564,}, 0x0, ) == 0x0
 01418  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58007, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\14\5\0\0\34\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\14\5\0\0\34\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58009, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58007, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\14\5\0\0\34\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\1\0\0\14\5\0\0\34\6\0\0" )  ) == 0x0
 01419  1956   NtResumeThread  (408, ... 1, ) == 0x0
 01420  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01421  1856   NtRequestWaitReplyPort  (416, {200, 224, new_msg, 0, 1382616, 12, 2, 1310721}  (416, {200, 224, new_msg, 0, 1382616, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\10\27\25\0\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\37\203\275\226\307\232x\213\210\30\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`\30\25\0\271\2777[x\1\24\0\200\30\25\0h\1\24\0\0\0\0\0\0\0\0\0\200\30\25\0P\0\0\0\210\30\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\267\0\372\31\221|\30\364\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01422  1564   NtWaitForSingleObject  (88, 0, 0x0, ...
 01423  1068   NtUnmapViewOfSection  (-1, 0x850000, ... ) == 0x0
 01424  1068   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 11007328, ... ) }, 11007328, ... ) == 0x0
 01425  1068   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\wshtcpip.dll"}, 5, 96, ... }, 5, 96, ...
 01421  1856   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1292, 1856, 58010, 0}  ... {200, 224, reply, 0, 1292, 1856, 58010, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0x\1\24\0\0\0\0\0\0\0\25\0\1\0\0\0\37\203\275\226\307\232x\213\210\30\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0`\30\25\0\271\2777[x\1\24\0\200\30\25\0h\1\24\0\0\0\0\0\0\0\0\0\200\30\25\0P\0\0\0\210\30\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\204\354\267\0\372\31\221|\30\364\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01420  1956   NtAllocateVirtualMemory  ... 46923776, 1048576, ) == 0x0
 01426  1856   NtRequestWaitReplyPort  (416, {64, 88, new_msg, 0, 0, 0, 0, 0}  (416, {64, 88, new_msg, 0, 0, 0, 0, 0} "\1\0\0\0A\2\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" ...  ...
 01427  1956   NtAllocateVirtualMemory  (-1, 47964160, 0, 8192, 4096, 4, ... 47964160, 8192, ) == 0x0
 01428  1956   NtProtectVirtualMemory  (-1, (0x2dbe000), 4096, 260, ... (0x2dbe000), 4096, 4, ) == 0x0
 01429  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01425  1068   NtOpenFile  ... 412, {status=0x0, info=1}, ) == 0x0
 01430  1068   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 412, ... 420, ) == 0x0
 01431  1068   NtQuerySection  (420, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01432  1068   NtClose  (412, ... ) == 0x0
 01433  1068   NtMapViewOfSection  (420, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x71a90000), 0x0, 32768, ) == 0x0
 01434  1068   NtClose  (420, ... ) == 0x0
 01435  1068   NtProtectVirtualMemory  (-1, (0x71a91000), 128, 4, ...
 01429  1956   NtCreateThread  ... 420, {1292, 1592}, ) == 0x0
 01436  1956   NtQueryInformationThread  (420, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff95000,Pid=1292,Tid=1592,}, 0x0, ) == 0x0
 01437  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58009, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\14\5\0\08\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\14\5\0\08\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58012, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58009, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\14\5\0\08\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\1\0\0\14\5\0\08\6\0\0" )  ) == 0x0
 01438  1956   NtResumeThread  (420, ... 1, ) == 0x0
 01439  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 47972352, 1048576, ) == 0x0
 01440  1956   NtAllocateVirtualMemory  (-1, 49012736, 0, 8192, 4096, 4, ... 49012736, 8192, ) == 0x0
 01435  1068   NtProtectVirtualMemory  ... (0x71a91000), 4096, 32, ) == 0x0
 01441  1592   NtWaitForSingleObject  (88, 0, 0x0, ...
 01442  1068   NtProtectVirtualMemory  (-1, (0x71a91000), 4096, 32, ... (0x71a91000), 4096, 4, ) == 0x0
 01443  1068   NtFlushInstructionCache  (-1, 1906905088, 128, ... ) == 0x0
 01444  1068   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01445  1068   NtSetEventBoostPriority  (88, ...
 01446  1956   NtProtectVirtualMemory  (-1, (0x2ebe000), 4096, 260, ... (0x2ebe000), 4096, 4, ) == 0x0
 01447  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 412, {1292, 932}, ) == 0x0
 01448  1956   NtQueryInformationThread  (412, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff94000,Pid=1292,Tid=932,}, 0x0, ) == 0x0
 01449  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58012, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\14\5\0\0\244\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\14\5\0\0\244\3\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58013, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58012, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\14\5\0\0\244\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\1\0\0\14\5\0\0\244\3\0\0" )  ) == 0x0
 01450  1956   NtResumeThread  (412, ... 1, ) == 0x0
 01451  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01411   164   NtWaitForSingleObject  ... ) == 0x0
 01445  1068   NtSetEventBoostPriority  ... ) == 0x0
 01426  1856   NtRequestWaitReplyPort  ... {52, 76, reply, 0, 1292, 1856, 58011, 0}  ... {52, 76, reply, 0, 1292, 1856, 58011, 0} "\2\356Q\200\1\0\0\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300l\353\3\370X\353Q\200\260\37\12\0\1\0\0\0\1\0\0\0\300\250|\207\377\377\377\0" )  ) == 0x0
 01452   932   NtWaitForSingleObject  (88, 0, 0x0, ...
 01453   164   NtSetEventBoostPriority  (88, ...
 01454  1068   NtClose  (384, ...
 01451  1956   NtAllocateVirtualMemory  ... 49020928, 1048576, ) == 0x0
 01422  1564   NtWaitForSingleObject  ... ) == 0x0
 01453   164   NtSetEventBoostPriority  ... ) == 0x0
 01454  1068   NtClose  ... ) == 0x0
 01455  1564   NtSetEventBoostPriority  (88, ...
 01456  1956   NtAllocateVirtualMemory  (-1, 50061312, 0, 8192, 4096, 4, ...
 01457  1856   NtClose  (404, ...
 01441  1592   NtWaitForSingleObject  ... ) == 0x0
 01455  1564   NtSetEventBoostPriority  ... ) == 0x0
 01458  1068   NtWaitForSingleObject  (88, 0, 0x0, ...
 01456  1956   NtAllocateVirtualMemory  ... 50061312, 8192, ) == 0x0
 01459  1592   NtSetEventBoostPriority  (88, ...
 01457  1856   NtClose  ... ) == 0x0
 01460   164   NtTestAlert  (...
 01452   932   NtWaitForSingleObject  ... ) == 0x0
 01459  1592   NtSetEventBoostPriority  ... ) == 0x0
 01461  1956   NtProtectVirtualMemory  (-1, (0x2fbe000), 4096, 260, ...
 01462  1856   NtClose  (416, ...
 01463   932   NtSetEventBoostPriority  (88, ...
 01460   164   NtTestAlert  ... ) == 0x0
 01464  1564   NtTestAlert  (...
 01461  1956   NtProtectVirtualMemory  ... (0x2fbe000), 4096, 4, ) == 0x0
 01458  1068   NtWaitForSingleObject  ... ) == 0x0
 01463   932   NtSetEventBoostPriority  ... ) == 0x0
 01462  1856   NtClose  ... ) == 0x0
 01465   164   NtContinue  (45874480, 1, ...
 01464  1564   NtTestAlert  ... ) == 0x0
 01466  1068   NtCreateFile  (0xc0100000, {24, 0, 0x42, 0, 0,  (0xc0100000, {24, 0, 0x42, 0, 0, "\Device\Afd\Endpoint"}, 0x0, 0, 3, 3, 0, 11009664, 67, ... }, 0x0, 0, 3, 3, 0, 11009664, 67, ...
 01467  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01468  1592   NtTestAlert  (...
 01469  1856   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01470   164   NtRegisterThreadTerminatePort  (24, ...
 01466  1068   NtCreateFile  ... 416, {status=0x0, info=0}, ) == 0x0
 01471  1564   NtContinue  (46923056, 1, ...
 01472   932   NtTestAlert  (...
 01468  1592   NtTestAlert  ... ) == 0x0
 01469  1856   NtCreateKey  ... 404, 2, ) == 0x0
 01470   164   NtRegisterThreadTerminatePort  ... ) == 0x0
 01467  1956   NtCreateThread  ... 384, {1292, 1528}, ) == 0x0
 01473  1564   NtRegisterThreadTerminatePort  (24, ...
 01472   932   NtTestAlert  ... ) == 0x0
 01474  1592   NtContinue  (47971632, 1, ...
 01475  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x1207b,  (416, 112, 0x0, 0x0, 0x1207b, "\7\0\0\0x\1\24\0\340\0\0\0\216\326\220|", 16, 16, ... , 16, 16, ...
 01476   164   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01477  1956   NtQueryInformationThread  (384, Basic, 28, ...
 01473  1564   NtRegisterThreadTerminatePort  ... ) == 0x0
 01478   932   NtContinue  (49020208, 1, ...
 01479  1592   NtRegisterThreadTerminatePort  (24, ...
 01475  1068   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\7\0\0\00\207\273\201\0 \0\0@\273\201\201", ) , ) == 0x0
 01480  1856   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01477  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff93000,Pid=1292,Tid=1528,}, 0x0, ) == 0x0
 01481  1564   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01482   932   NtRegisterThreadTerminatePort  (24, ...
 01479  1592   NtRegisterThreadTerminatePort  ... ) == 0x0
 01483  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x1207b,  (416, 112, 0x0, 0x0, 0x1207b, "\6\0\0\00\207\273\201\0 \0\0@\273\201\201", 16, 16, ... , 16, 16, ...
 01480  1856   NtOpenKey  ... 424, ) == 0x0
 01484  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58013, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58013, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\14\5\0\0\370\5\0\0" ...  ...
 01476   164   NtDuplicateObject  ... 428, ) == 0x0
 01482   932   NtRegisterThreadTerminatePort  ... ) == 0x0
 01485  1592   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01483  1068   NtDeviceIoControlFile  ... {status=0x0, info=16},  ... {status=0x0, info=16}, "\6\0\0\00\207\273\201\0 \0\0@\273\201\201", ) , ) == 0x0
 01486  1856   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01484  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58015, 0}  ... {28, 56, reply, 0, 1292, 1956, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\1\0\0\14\5\0\0\370\5\0\0" )  ) == 0x0
 01487   164   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01488   932   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01481  1564   NtDuplicateObject  ... 432, ) == 0x0
 01489  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x12047,  (416, 112, 0x0, 0x0, 0x12047, "\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\377\377\377\377\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 16, ... , 248, 16, ...
 01486  1856   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01485  1592   NtDuplicateObject  ... 436, ) == 0x0
 01487   164   NtWaitForSingleObject  ... ) == 0x102
 01490  1956   NtResumeThread  (384, ...
 01491  1564   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01489  1068   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x0
 01492  1856   NtQueryValueKey  (404,  (404, "Hostname", Partial, 144, ... , Partial, 144, ...
 01493  1592   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01494   164   NtWaitForSingleObject  (136, 0, 0x0, ...
 01490  1956   NtResumeThread  ... 1, ) == 0x0
 01491  1564   NtWaitForSingleObject  ... ) == 0x102
 01488   932   NtDuplicateObject  ... 440, ) == 0x0
 01495  1528   NtTestAlert  (...
 01492  1856   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01493  1592   NtWaitForSingleObject  ... ) == 0x102
 01496  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01497  1564   NtWaitForSingleObject  (136, 0, 0x0, ...
 01498   932   NtAllocateVirtualMemory  (-1, 1384448, 0, 4096, 4096, 4, ...
 01495  1528   NtTestAlert  ... ) == 0x0
 01499  1068   NtWaitForSingleObject  (272, 0, 0x0, ...
 01500  1592   NtWaitForSingleObject  (272, 0, 0x0, ...
 01496  1956   NtAllocateVirtualMemory  ... 50069504, 1048576, ) == 0x0
 01498   932   NtAllocateVirtualMemory  ... 1384448, 4096, ) == 0x0
 01501  1528   NtContinue  (50068784, 1, ...
 01502  1956   NtAllocateVirtualMemory  (-1, 51109888, 0, 8192, 4096, 4, ...
 01503   932   NtSetEventBoostPriority  (272, ...
 01504  1528   NtRegisterThreadTerminatePort  (24, ...
 01502  1956   NtAllocateVirtualMemory  ... 51109888, 8192, ) == 0x0
 01499  1068   NtWaitForSingleObject  ... ) == 0x0
 01503   932   NtSetEventBoostPriority  ... ) == 0x0
 01504  1528   NtRegisterThreadTerminatePort  ... ) == 0x0
 01505  1856   NtQueryValueKey  (404,  (404, "Hostname", Partial, 144, ... , Partial, 144, ...
 01506  1068   NtSetEventBoostPriority  (272, ...
 01507   932   NtWaitForSingleObject  (272, 0, 0x0, ...
 01508  1956   NtProtectVirtualMemory  (-1, (0x30be000), 4096, 260, ...
 01500  1592   NtWaitForSingleObject  ... ) == 0x0
 01506  1068   NtSetEventBoostPriority  ... ) == 0x0
 01505  1856   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="v\0i\0r\0t\0u\0a\0l\0\0\0"}, 28, ) }, 28, ) == 0x0
 01509  1528   NtWaitForSingleObject  (272, 0, 0x0, ...
 01510  1592   NtSetEventBoostPriority  (272, ...
 01508  1956   NtProtectVirtualMemory  ... (0x30be000), 4096, 4, ) == 0x0
 01511  1068   NtWaitForSingleObject  (56, 0, {0, 0}, ...
 01512  1856   NtClose  (404, ...
 01510  1592   NtSetEventBoostPriority  ... ) == 0x0
 01509  1528   NtWaitForSingleObject  ... ) == 0x0
 01513  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01512  1856   NtClose  ... ) == 0x0
 01511  1068   NtWaitForSingleObject  ... ) == 0x102
 01514  1528   NtSetEventBoostPriority  (272, ...
 01513  1956   NtCreateThread  ... 404, {1292, 1780}, ) == 0x0
 01515  1856   NtClose  (424, ...
 01516  1068   NtWaitForSingleObject  (272, 0, 0x0, ...
 01507   932   NtWaitForSingleObject  ... ) == 0x0
 01514  1528   NtSetEventBoostPriority  ... ) == 0x0
 01517  1956   NtQueryInformationThread  (404, Basic, 28, ...
 01515  1856   NtClose  ... ) == 0x0
 01518   932   NtSetEventBoostPriority  (272, ...
 01519  1528   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01517  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff92000,Pid=1292,Tid=1780,}, 0x0, ) == 0x0
 01520  1592   NtWaitForSingleObject  (136, 0, 0x0, ...
 01516  1068   NtWaitForSingleObject  ... ) == 0x0
 01518   932   NtSetEventBoostPriority  ... ) == 0x0
 01521  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 01519  1528   NtDuplicateObject  ... 424, ) == 0x0
 01522  1068   NtSetEventBoostPriority  (272, ...
 01523   932   NtWaitForSingleObject  (272, 0, 0x0, ...
 01524  1528   NtWaitForSingleObject  (272, 0, 0x0, ...
 01521  1856   NtWaitForSingleObject  ... ) == 0x0
 01522  1068   NtSetEventBoostPriority  ... ) == 0x0
 01525  1856   NtSetEventBoostPriority  (272, ...
 01526  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58015, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58015, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\14\5\0\0\364\6\0\0" ...  ...
 01523   932   NtWaitForSingleObject  ... ) == 0x0
 01525  1856   NtSetEventBoostPriority  ... ) == 0x0
 01527   932   NtSetEventBoostPriority  (272, ...
 01526  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58016, 0}  ... {28, 56, reply, 0, 1292, 1956, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\1\0\0\14\5\0\0\364\6\0\0" )  ) == 0x0
 01524  1528   NtWaitForSingleObject  ... ) == 0x0
 01527   932   NtSetEventBoostPriority  ... ) == 0x0
 01528  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 01529  1528   NtSetEventBoostPriority  (272, ...
 01530  1956   NtResumeThread  (404, ...
 01531  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x12003,  (416, 112, 0x0, 0x0, 0x12003, "\0\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", 26, 26, ... , 26, 26, ...
 01532   932   NtWaitForSingleObject  (272, 0, 0x0, ...
 01529  1528   NtSetEventBoostPriority  ... ) == 0x0
 01530  1956   NtResumeThread  ... 1, ) == 0x0
 01531  1068   NtDeviceIoControlFile  ... {status=0x0, info=444},  ... {status=0x0, info=444}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01532   932   NtWaitForSingleObject  ... ) == 0x0
 01533  1780   NtTestAlert  (...
 01534  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01535  1528   NtWaitForSingleObject  (272, 0, 0x0, ...
 01536   932   NtSetEventBoostPriority  (272, ...
 01533  1780   NtTestAlert  ... ) == 0x0
 01537  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x12047,  (416, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\0\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0(\0*\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01528  1856   NtWaitForSingleObject  ... ) == 0x0
 01536   932   NtSetEventBoostPriority  ... ) == 0x0
 01538  1780   NtContinue  (51117360, 1, ...
 01539  1856   NtSetEventBoostPriority  (272, ...
 01537  1068   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01540   932   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01535  1528   NtWaitForSingleObject  ... ) == 0x0
 01541  1780   NtRegisterThreadTerminatePort  (24, ...
 01542  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x12037,  (416, 112, 0x0, 0x0, 0x12037, "\2\0\0\0", 4, 8, ... , 4, 8, ...
 01539  1856   NtSetEventBoostPriority  ... ) == 0x0
 01534  1956   NtAllocateVirtualMemory  ... 51118080, 1048576, ) == 0x0
 01543  1528   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01541  1780   NtRegisterThreadTerminatePort  ... ) == 0x0
 01542  1068   NtDeviceIoControlFile  ... {status=0x0, info=8},  ... {status=0x0, info=8}, "\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01544  1856   NtDeviceIoControlFile  (372, 0, 0x0, 0x0, 0x390008,  (372, 0, 0x0, 0x0, 0x390008, "A\275\14L\13\7\2115\205p\20\324\275\323+bQutXf\265\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01545  1956   NtAllocateVirtualMemory  (-1, 52158464, 0, 8192, 4096, 4, ...
 01543  1528   NtWaitForSingleObject  ... ) == 0x102
 01540   932   NtWaitForSingleObject  ... ) == 0x102
 01546  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x1200b,  (416, 112, 0x0, 0x0, 0x1200b, "\0\376\247\0\5\0\0\0\0\255\24\0", 12, 0, ... , 12, 0, ...
 01547  1856   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01545  1956   NtAllocateVirtualMemory  ... 52158464, 8192, ) == 0x0
 01548  1780   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01549   932   NtWaitForSingleObject  (136, 0, 0x0, ...
 01546  1068   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01550  1528   NtWaitForSingleObject  (136, 0, 0x0, ...
 01551  1956   NtProtectVirtualMemory  (-1, (0x31be000), 4096, 260, ...
 01548  1780   NtDuplicateObject  ... 448, ) == 0x0
 01547  1856   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01551  1956   NtProtectVirtualMemory  ... (0x31be000), 4096, 4, ) == 0x0
 01552  1780   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01553  1856   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01554  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01552  1780   NtWaitForSingleObject  ... ) == 0x102
 01553  1856   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01555  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x12047,  (416, 112, 0x0, 0x0, 0x12047, "\1\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\20\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0\0\0 \0\0\1\0\0\0\1\0\0\0\351\3\0\0f\0\2\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0h\0\0\0\310\376\247\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0\1\0\0\0\6\0\0\0\0 \0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\1\0\0\1\0\0\0 \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 248, 0, ... , 248, 0, ...
 01556  1780   NtWaitForSingleObject  (136, 0, 0x0, ...
 01557  1856   NtQuerySystemInformation  (Performance, 312, ...
 01555  1068   NtDeviceIoControlFile  ... {status=0x0, info=0}, 0x0, ) == 0x0
 01554  1956   NtCreateThread  ... 452, {1292, 1804}, ) == 0x0
 01557  1856   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01558  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x1202f, 0x0, 0, 26, ...
 01559  1956   NtQueryInformationThread  (452, Basic, 28, ...
 01560  1856   NtQuerySystemInformation  (Exception, 16, ...
 01558  1068   NtDeviceIoControlFile  ... {status=0x0, info=26},  ... {status=0x0, info=26}, "\1\0\0\0\1\0\0\0\16\0\2\0\25\262\0\0\0\0\0\0\0\0\0\0\0\0", ) , ) == 0x0
 01559  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff91000,Pid=1292,Tid=1804,}, 0x0, ) == 0x0
 01561  1068   NtCreateEvent  (0x100003, 0x0, 1, 0, ...
 01562  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58016, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58016, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\14\5\0\0\14\7\0\0" ...  ...
 01561  1068   NtCreateEvent  ... 456, ) == 0x0
 01562  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58017, 0}  ... {28, 56, reply, 0, 1292, 1956, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\1\0\0\14\5\0\0\14\7\0\0" )  ) == 0x0
 01560  1856   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01563  1068   NtWaitForSingleObject  (456, 0, 0x0, ...
 01564  1856   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01565  1856   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01566  1856   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01567  1856   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01568  1856   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\362h\317\247\273u\342d\303\0w\320\327zo\335\316!\213Dygk\207L\17\177\360\7\21\\262\2\353'\2440\340\36c\364\250\14\205\13\30}\374Po\221\217\311\347\337+\312\10j\270\210\373\15\274\15'-\220@\374\11`\347\276\315z\221\235p", 80, ... ) , 0, 3,  (-2147482132, "Seed", 0, 3, "\362h\317\247\273u\342d\303\0w\320\327zo\335\316!\213Dygk\207L\17\177\360\7\21\\262\2\353'\2440\340\36c\364\250\14\205\13\30}\374Po\221\217\311\347\337+\312\10j\270\210\373\15\274\15'-\220@\374\11`\347\276\315z\221\235p", 80, ... ) , 80, ... ) == 0x0
 01569  1856   NtClose  (-2147482132, ...
 01570  1956   NtResumeThread  (452, ... 1, ) == 0x0
 01571  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 52166656, 1048576, ) == 0x0
 01572  1956   NtAllocateVirtualMemory  (-1, 53207040, 0, 8192, 4096, 4, ... 53207040, 8192, ) == 0x0
 01573  1956   NtProtectVirtualMemory  (-1, (0x32be000), 4096, 260, ... (0x32be000), 4096, 4, ) == 0x0
 01574  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01569  1856   NtClose  ... ) == 0x0
 01575  1804   NtTestAlert  (...
 01544  1856   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "j=w\32\26\26=\232\232\264\353Z\353\375\316\357,\377\307@Q0&\240\220\263/\325\330\3705\321\211\314V\325zps\200\241\327if\26\250|lE \5\16\314\263^\304\240\323m+\330X\322NWp{\327\22\332\207F\361\347#i\5\27\352\16HB\245\163\2642\307\277\211CO\255\33\254|\277\357\27\321\320\307\300\13\204\210/\200\346\342\32\3553J(\327f\251\22\314\217|>\20^P5\27\366\333g~u\373E\220M\301\340{S\316\32O}\306WK\376\16U\10W\262\263\12\377\266}\242\232\343\361\3266q\16sRis\271&\307\307?uZ\331\357\237\314\322b\304S\27\360E\201\3262\230\31\\273@cR\306\240\353c\267\366\15\251w\303\357\310d\37\262\367\311S\312oG\W\243C\226\241\317\331\242\330-\323cvA"\17\370", ) \17\370", ) == 0x0
 01575  1804   NtTestAlert  ... ) == 0x0
 01576  1856   NtDeviceIoControlFile  (372, 0, 0x0, 0x0, 0x390008,  (372, 0, 0x0, 0x0, 0x390008, "A\275\14L\13\7\2115\205p\20\324\275\323}2M\372\2\201\372\375\245QutXf\265\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01577  1804   NtContinue  (52165936, 1, ...
 01578  1856   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01579  1804   NtRegisterThreadTerminatePort  (24, ...
 01578  1856   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01579  1804   NtRegisterThreadTerminatePort  ... ) == 0x0
 01580  1856   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01574  1956   NtCreateThread  ... 460, {1292, 1644}, ) == 0x0
 01581  1804   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01582  1956   NtQueryInformationThread  (460, Basic, 28, ...
 01581  1804   NtDuplicateObject  ... 464, ) == 0x0
 01582  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff90000,Pid=1292,Tid=1644,}, 0x0, ) == 0x0
 01583  1804   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01584  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58017, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58017, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\14\5\0\0l\6\0\0" ...  ...
 01583  1804   NtWaitForSingleObject  ... ) == 0x102
 01584  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58018, 0}  ... {28, 56, reply, 0, 1292, 1956, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\1\0\0\14\5\0\0l\6\0\0" )  ) == 0x0
 01585  1804   NtWaitForSingleObject  (136, 0, 0x0, ...
 01580  1856   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01586  1956   NtResumeThread  (460, ...
 01587  1856   NtQuerySystemInformation  (Performance, 312, ...
 01586  1956   NtResumeThread  ... 1, ) == 0x0
 01587  1856   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01588  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01589  1856   NtQuerySystemInformation  (Exception, 16, ...
 01588  1956   NtAllocateVirtualMemory  ... 53215232, 1048576, ) == 0x0
 01589  1856   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01590  1956   NtAllocateVirtualMemory  (-1, 54255616, 0, 8192, 4096, 4, ...
 01591  1856   NtQuerySystemInformation  (Lookaside, 32, ...
 01590  1956   NtAllocateVirtualMemory  ... 54255616, 8192, ) == 0x0
 01592  1644   NtTestAlert  (...
 01591  1856   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01592  1644   NtTestAlert  ... ) == 0x0
 01593  1856   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01594  1644   NtContinue  (53214512, 1, ...
 01593  1856   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01595  1644   NtRegisterThreadTerminatePort  (24, ...
 01596  1856   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01595  1644   NtRegisterThreadTerminatePort  ... ) == 0x0
 01596  1856   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01597  1956   NtProtectVirtualMemory  (-1, (0x33be000), 4096, 260, ...
 01598  1856   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01597  1956   NtProtectVirtualMemory  ... (0x33be000), 4096, 4, ) == 0x0
 01599  1644   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01600  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01599  1644   NtDuplicateObject  ... 468, ) == 0x0
 01600  1956   NtCreateThread  ... 472, {1292, 336}, ) == 0x0
 01601  1644   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01602  1956   NtQueryInformationThread  (472, Basic, 28, ...
 01601  1644   NtWaitForSingleObject  ... ) == 0x102
 01602  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8f000,Pid=1292,Tid=336,}, 0x0, ) == 0x0
 01603  1644   NtWaitForSingleObject  (136, 0, 0x0, ...
 01598  1856   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01604  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58018, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58018, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\14\5\0\0P\1\0\0" ...  ...
 01605  1856   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "mL\374\365TP\262\17\222wSl)2\362\371\177\327\352\241\315\376;9DP=\200\360\325\257\234S\230{\367r?\274\11\334\257\321\211\300=\ik\321\36\6\220\224(Q\236$\3103\30WVN\345\276{\320\23\205GQ\366\202\377\330n\21\260x", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "mL\374\365TP\262\17\222wSl)2\362\371\177\327\352\241\315\376;9DP=\200\360\325\257\234S\230{\367r?\274\11\334\257\321\211\300=\ik\321\36\6\220\224(Q\236$\3103\30WVN\345\276{\320\23\205GQ\366\202\377\330n\21\260x", 80, ... , 80, ...
 01604  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58019, 0}  ... {28, 56, reply, 0, 1292, 1956, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\1\0\0\14\5\0\0P\1\0\0" )  ) == 0x0
 01605  1856   NtSetValueKey  ... ) == 0x0
 01606  1956   NtResumeThread  (472, ...
 01607  1856   NtClose  (-2147482132, ...
 01606  1956   NtResumeThread  ... 1, ) == 0x0
 01607  1856   NtClose  ... ) == 0x0
 01608  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01576  1856   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "ces\340\310Mo\304\377Q\16q\330\255\203\266Z~\222\264\12I\337\237\2540r^\365x\266}\3572\206$>\266a\37\362\31:\325\262\255 \0F\237\324\21_K\334%\1\217\33\362\4\351\375W\302\230?\337W\223T\311\273\2734\3205{\221\335BH\210\2\312(\330\337v\301a\344\247v\331Q\263\353\235\303\321\6\271\213\310\235\321mW\34U8X\355\276se\25\337\2257.\364\350\240\254:\347\262Ev.\373\355\306\310\1N*D\204\327\10\330A\350U\235gw\20\376PE:\236g\225\232\20\330PY\353\364~\262\271\373\317tA~I\312;\3008\202Z\315r\326\315;3/\352Z\231\300\2534\27B\222\14\14\32Hr\177Th\234CZ\353t\246a\360^?'\315\4\232$\334f\257e\260\304/\323&\230"p\4\3504\7\248|l\341\17\244A4-\27<\27\374\307\3439B", ) p\4\3504\7\248|l\341\17\244A4-\27<\27\374\307\3439B", ) == 0x0
 01609   336   NtTestAlert  (...
 01608  1956   NtAllocateVirtualMemory  ... 54263808, 1048576, ) == 0x0
 01609   336   NtTestAlert  ... ) == 0x0
 01610  1956   NtAllocateVirtualMemory  (-1, 55304192, 0, 8192, 4096, 4, ...
 01611   336   NtContinue  (54263088, 1, ...
 01610  1956   NtAllocateVirtualMemory  ... 55304192, 8192, ) == 0x0
 01612   336   NtRegisterThreadTerminatePort  (24, ...
 01613  1956   NtProtectVirtualMemory  (-1, (0x34be000), 4096, 260, ...
 01612   336   NtRegisterThreadTerminatePort  ... ) == 0x0
 01613  1956   NtProtectVirtualMemory  ... (0x34be000), 4096, 4, ) == 0x0
 01614  1856   NtDeviceIoControlFile  (372, 0, 0x0, 0x0, 0x390008,  (372, 0, 0x0, 0x0, 0x390008, "A\275\14L\13\7\2115\205p\20\324\275\323}2M\372\2\201\372\253\365M\372\2\201\372\375\245QutXf\265\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01615  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01616  1856   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01617   336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01616  1856   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01617   336   NtDuplicateObject  ... 476, ) == 0x0
 01618  1856   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01619   336   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01618  1856   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01619   336   NtWaitForSingleObject  ... ) == 0x102
 01620  1856   NtQuerySystemInformation  (Performance, 312, ...
 01621   336   NtWaitForSingleObject  (136, 0, 0x0, ...
 01615  1956   NtCreateThread  ... 480, {1292, 800}, ) == 0x0
 01620  1856   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01622  1956   NtQueryInformationThread  (480, Basic, 28, ...
 01623  1856   NtQuerySystemInformation  (Exception, 16, ...
 01622  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8e000,Pid=1292,Tid=800,}, 0x0, ) == 0x0
 01623  1856   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01624  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58019, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58019, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\14\5\0\0 \3\0\0" ...  ...
 01625  1856   NtQuerySystemInformation  (Lookaside, 32, ...
 01624  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58020, 0}  ... {28, 56, reply, 0, 1292, 1956, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\1\0\0\14\5\0\0 \3\0\0" )  ) == 0x0
 01625  1856   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01626  1856   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01627  1856   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01628  1856   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01629  1856   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\3141\12\6\225\307Jz\253\343\21lqk h\212\\35~\307\23\7\21,,/\211b\367\362\225\350\246$\364\346\33\306\16\245\237\6#\325\347b\3714\7I\354\220\362\234\224\313\5{l\362\367\254\203\254P\253\204\301\330M\220\37\257o3\330\353w\244", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "\3141\12\6\225\307Jz\253\343\21lqk h\212\\35~\307\23\7\21,,/\211b\367\362\225\350\246$\364\346\33\306\16\245\237\6#\325\347b\3714\7I\354\220\362\234\224\313\5{l\362\367\254\203\254P\253\204\301\330M\220\37\257o3\330\353w\244", 80, ... , 80, ...
 01630  1956   NtResumeThread  (480, ... 1, ) == 0x0
 01631  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 55312384, 1048576, ) == 0x0
 01632  1956   NtAllocateVirtualMemory  (-1, 56352768, 0, 8192, 4096, 4, ... 56352768, 8192, ) == 0x0
 01633  1956   NtProtectVirtualMemory  (-1, (0x35be000), 4096, 260, ... (0x35be000), 4096, 4, ) == 0x0
 01634  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 484, {1292, 504}, ) == 0x0
 01635  1956   NtQueryInformationThread  (484, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8d000,Pid=1292,Tid=504,}, 0x0, ) == 0x0
 01629  1856   NtSetValueKey  ... ) == 0x0
 01636   800   NtTestAlert  (...
 01637  1856   NtClose  (-2147482132, ...
 01636   800   NtTestAlert  ... ) == 0x0
 01637  1856   NtClose  ... ) == 0x0
 01638   800   NtContinue  (55311664, 1, ...
 01614  1856   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "n\202\247y/\317\25\244\b\256\252\226)\11\235\265\255\314,\375T2\263(]\305\25\317\355\367\35\277\177m}\235\3044\226\274m\40\1\242\\362\241Kd\276\207]\20\21*\344\263\12\303\214~\374\202\331\201\232d\343t\301\356x\372<\341"\310wi\306\237RQL\213\4\256v\365x\220\376\344\206\230\11G\223\13t\26\27\317\274.\215`\177\250'\305\234\332\263/\305d^\7\344{6\307$\2(|U\321\305!Z\261\231?M\22jmVl\205?\331\377\320\305\357T\16\225F\373\277\370\372\313<\314zs4\260\16B\23\315sq\245\5\253\21\50\376`\317\2157\371\311\261&\233\6@\365\23\313\32\374\353?\271\342\263\206/&\205\252=\15%:\237\313\252\374\130\337\256\345T\330\257u\223\214\353\374~\252\4\312^\361k\244\30:\317p\331\307\37{u\256\371\327\36H\13y5\23\16\252b-\247", ) \310wi\306\237RQL\213\4\256v\365x\220\376\344\206\230\11G\223\13t\26\27\317\274.\215`\177\250'\305\234\332\263/\305d^\7\344{6\307$\2(|U\321\305!Z\261\231?M\22jmVl\205?\331\377\320\305\357T\16\225F\373\277\370\372\313<\314zs4\260\16B\23\315sq\245\5\253\21\50\376`\317\2157\371\311\261&\233\6@\365\23\313\32\374\353?\271\342\263\206/&\205\252=\15%:\237\313\252\374\130\337\256\345T\330\257u\223\214\353\374~\252\4\312^\361k\244\30:\317p\331\307\37{u\256\371\327\36H\13y5\23\16\252b-\247", ) == 0x0
 01639   800   NtRegisterThreadTerminatePort  (24, ...
 01640  1856   NtDeviceIoControlFile  (372, 0, 0x0, 0x0, 0x390008,  (372, 0, 0x0, 0x0, 0x390008, "A\275\14L\13\7\2115\205p\20\324\275\323}2M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\375\245QutXf\265\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01639   800   NtRegisterThreadTerminatePort  ... ) == 0x0
 01641  1856   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01642  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58020, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58020, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\14\5\0\0\370\1\0\0" ...  ...
 01643   800   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01642  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58021, 0}  ... {28, 56, reply, 0, 1292, 1956, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\1\0\0\14\5\0\0\370\1\0\0" )  ) == 0x0
 01643   800   NtDuplicateObject  ... 488, ) == 0x0
 01644  1956   NtResumeThread  (484, ...
 01645   800   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01644  1956   NtResumeThread  ... 1, ) == 0x0
 01645   800   NtWaitForSingleObject  ... ) == 0x102
 01646  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01647   800   NtWaitForSingleObject  (136, 0, 0x0, ...
 01641  1856   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01648   504   NtTestAlert  (...
 01649  1856   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01648   504   NtTestAlert  ... ) == 0x0
 01649  1856   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01650   504   NtContinue  (56360240, 1, ...
 01651  1856   NtQuerySystemInformation  (Performance, 312, ...
 01652   504   NtRegisterThreadTerminatePort  (24, ...
 01651  1856   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01652   504   NtRegisterThreadTerminatePort  ... ) == 0x0
 01653  1856   NtQuerySystemInformation  (Exception, 16, ...
 01646  1956   NtAllocateVirtualMemory  ... 56360960, 1048576, ) == 0x0
 01654   504   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01655  1956   NtAllocateVirtualMemory  (-1, 57401344, 0, 8192, 4096, 4, ...
 01654   504   NtDuplicateObject  ... 492, ) == 0x0
 01655  1956   NtAllocateVirtualMemory  ... 57401344, 8192, ) == 0x0
 01656   504   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01657  1956   NtProtectVirtualMemory  (-1, (0x36be000), 4096, 260, ...
 01656   504   NtWaitForSingleObject  ... ) == 0x102
 01657  1956   NtProtectVirtualMemory  ... (0x36be000), 4096, 4, ) == 0x0
 01658   504   NtWaitForSingleObject  (136, 0, 0x0, ...
 01659  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01653  1856   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01660  1856   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01661  1856   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01662  1856   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01663  1856   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... -2147482132, 2, ) }, 0, 0x0, 0, ... -2147482132, 2, ) == 0x0
 01664  1856   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "\233yk\210\201{\376!L[\315?\232\2445l\211\231\350\305\357!\200\332\331X\222\273f\337\213f_>\206\230\15%\363\317J\200\210\339L0\340~\34\32\363bz\31\24\332_8F\301\255\311\23\337eA\217\177\31`\206\346\310P\234\313\314\345"", 80, ... ) , 0, 3,  (-2147482132, "Seed", 0, 3, "\233yk\210\201{\376!L[\315?\232\2445l\211\231\350\305\357!\200\332\331X\222\273f\337\213f_>\206\230\15%\363\317J\200\210\339L0\340~\34\32\363bz\31\24\332_8F\301\255\311\23\337eA\217\177\31`\206\346\310P\234\313\314\345"", 80, ... ) ", 80, ... ) == 0x0
 01665  1856   NtClose  (-2147482132, ...
 01659  1956   NtCreateThread  ... 496, {1292, 888}, ) == 0x0
 01666  1956   NtQueryInformationThread  (496, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff8c000,Pid=1292,Tid=888,}, 0x0, ) == 0x0
 01667  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58021, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\14\5\0\0x\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\14\5\0\0x\3\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58024, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58021, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\14\5\0\0x\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\1\0\0\14\5\0\0x\3\0\0" )  ) == 0x0
 01668  1956   NtResumeThread  (496, ... 1, ) == 0x0
 01669  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 57409536, 1048576, ) == 0x0
 01670  1956   NtAllocateVirtualMemory  (-1, 58449920, 0, 8192, 4096, 4, ... 58449920, 8192, ) == 0x0
 01665  1856   NtClose  ... ) == 0x0
 01671   888   NtTestAlert  (...
 01640  1856   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "X\242P\300\244;\13\327w\300\210\34\301\257\313\32K/U\10\376\322Tx\326fu\274\324~3\334eZ\351\337z\304dQ\30%\226eB9\253\324g{\345\21\242\213P\20\340\241\353\263\305mC\355\202\277\204\315\203\267i\200\14\10~c{\10\360\320\3Mr\375\240\267/\225h\322\242~\264\255\244^q2'=\21\6\354YU\345\271C\325\270^5\264m\0o\366z\11[Y.\317\1\21l\341\314\207\261\264n\232\1\23\342G\257\344\340^lfoFX\16\216\316#\322\27\34\346\16\322\374&\2K\13\231\357\31n\10\15t"8\221\224l\362\337\212\367\230`\300\335&\302\206\243\260\275\250\16R/<\6;\347G\343\361P\247\253\253\213\336"\213\3*:Q\322;\236\337\311\253@}\205~\242\315<\212*\327\250\266\325\242\363\356\20\22\272\213\25\302\303\261\356\27@\245qL3\212\363*5\11k\337e\347", ) 8\221\224l\362\337\212\367\230`\300\335&\302\206\243\260\275\250\16R/<\6;\347G\343\361P\247\253\253\213\336 ... {status=0x0, info=256}, "X\242P\300\244;\13\327w\300\210\34\301\257\313\32K/U\10\376\322Tx\326fu\274\324~3\334eZ\351\337z\304dQ\30%\226eB9\253\324g{\345\21\242\213P\20\340\241\353\263\305mC\355\202\277\204\315\203\267i\200\14\10~c{\10\360\320\3Mr\375\240\267/\225h\322\242~\264\255\244^q2'=\21\6\354YU\345\271C\325\270^5\264m\0o\366z\11[Y.\317\1\21l\341\314\207\261\264n\232\1\23\342G\257\344\340^lfoFX\16\216\316#\322\27\34\346\16\322\374&\2K\13\231\357\31n\10\15t"8\221\224l\362\337\212\367\230`\300\335&\302\206\243\260\275\250\16R/<\6;\347G\343\361P\247\253\253\213\336"\213\3*:Q\322;\236\337\311\253@}\205~\242\315<\212*\327\250\266\325\242\363\356\20\22\272\213\25\302\303\261\356\27@\245qL3\212\363*5\11k\337e\347", ) , ) == 0x0
 01671   888   NtTestAlert  ... ) == 0x0
 01672  1856   NtDeviceIoControlFile  (372, 0, 0x0, 0x0, 0x390008,  (372, 0, 0x0, 0x0, 0x390008, "A\275\14L\13\7\2115\205p\20\324\275\323}2M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\375\245QutXf\265\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01673   888   NtContinue  (57408816, 1, ...
 01674  1856   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01675   888   NtRegisterThreadTerminatePort  (24, ...
 01674  1856   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01675   888   NtRegisterThreadTerminatePort  ... ) == 0x0
 01676  1856   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01677  1956   NtProtectVirtualMemory  (-1, (0x37be000), 4096, 260, ...
 01678   888   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01677  1956   NtProtectVirtualMemory  ... (0x37be000), 4096, 4, ) == 0x0
 01678   888   NtDuplicateObject  ... 500, ) == 0x0
 01679  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01680   888   NtAllocateVirtualMemory  (-1, 1388544, 0, 4096, 4096, 4, ...
 01679  1956   NtCreateThread  ... 504, {1292, 1392}, ) == 0x0
 01680   888   NtAllocateVirtualMemory  ... 1388544, 4096, ) == 0x0
 01681  1956   NtQueryInformationThread  (504, Basic, 28, ...
 01682   888   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01681  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8b000,Pid=1292,Tid=1392,}, 0x0, ) == 0x0
 01682   888   NtWaitForSingleObject  ... ) == 0x102
 01676  1856   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01683   888   NtWaitForSingleObject  (136, 0, 0x0, ...
 01684  1856   NtQuerySystemInformation  (Performance, 312, ... {system info, class 2, size 312}, 312, ) == 0x0
 01685  1856   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01686  1856   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01687  1856   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01688  1856   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ... ) == STATUS_INFO_LENGTH_MISMATCH
 01689  1856   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01690  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58024, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\14\5\0\0p\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\14\5\0\0p\5\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58025, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58024, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\14\5\0\0p\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\1\0\0\14\5\0\0p\5\0\0" )  ) == 0x0
 01691  1956   NtResumeThread  (504, ... 1, ) == 0x0
 01692  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 58458112, 1048576, ) == 0x0
 01693  1956   NtAllocateVirtualMemory  (-1, 59498496, 0, 8192, 4096, 4, ... 59498496, 8192, ) == 0x0
 01694  1956   NtProtectVirtualMemory  (-1, (0x38be000), 4096, 260, ... (0x38be000), 4096, 4, ) == 0x0
 01695  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01689  1856   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01696  1392   NtTestAlert  (...
 01697  1856   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "p\225|\17\206i\376\326y\35HAA\272\340[\366[\11\277\26\13|\216Zz\305\31\362\250P\251\2q`\344T\220\25HM\260}\202\2214\207\23\324\375\262\270\237\310\244\304\356/\262\6HAGX\226\314\376\252\336\260.\211C*,\26\253\241\341", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "p\225|\17\206i\376\326y\35HAA\272\340[\366[\11\277\26\13|\216Zz\305\31\362\250P\251\2q`\344T\220\25HM\260}\202\2214\207\23\324\375\262\270\237\310\244\304\356/\262\6HAGX\226\314\376\252\336\260.\211C*,\26\253\241\341", 80, ... , 80, ...
 01696  1392   NtTestAlert  ... ) == 0x0
 01697  1856   NtSetValueKey  ... ) == 0x0
 01698  1392   NtContinue  (58457392, 1, ...
 01699  1856   NtClose  (-2147482132, ...
 01700  1392   NtRegisterThreadTerminatePort  (24, ...
 01699  1856   NtClose  ... ) == 0x0
 01700  1392   NtRegisterThreadTerminatePort  ... ) == 0x0
 01672  1856   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\207-\355\34\337-\212\252\336\321>[>\257\320>Se\274#\363\2\223Y\7pG\344\262\5\226,\363\177;\377j\344\361V}\234\17T~\347%\12C\214\32\11\232xp\23\12\226B\203\214\4\372\220@\35d\200\12\11\5\271\263\373\331\2445K\277\346ls3y'O\202\273H\23\3100\15W+\252\366\347\303\336b]g\223x\204\\227\311.vR6\330\312\354\275\235x5\303\31\345\337l(\362\332}Q\15X\225\250\272\361\320\265\11\311\27\204\377\210`:\35\202]9\3760,Y\4E#Z:\310W\7\224\341I3\11+C;Q{\305\2025UchW\34l\214\371Y\345\205\0\314C-p\263\334\254\237\256U8\271\4W\261\306\11\340\237\257SR\347\227\24\340\266\12j\\343\11\305\201\206\7\222\206\312\321BkV\235q\311\252\235~\335/\232hc\265\3324\21,\220)\250"\237<\12\267\312", ) \237<\12\267\312", ) == 0x0
 01695  1956   NtCreateThread  ... 508, {1292, 2020}, ) == 0x0
 01701  1392   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01702  1956   NtQueryInformationThread  (508, Basic, 28, ...
 01701  1392   NtDuplicateObject  ... 512, ) == 0x0
 01702  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff8a000,Pid=1292,Tid=2020,}, 0x0, ) == 0x0
 01703  1392   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01704  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58025, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58025, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\14\5\0\0\344\7\0\0" ...  ...
 01703  1392   NtWaitForSingleObject  ... ) == 0x102
 01704  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58026, 0}  ... {28, 56, reply, 0, 1292, 1956, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\1\0\0\14\5\0\0\344\7\0\0" )  ) == 0x0
 01705  1392   NtWaitForSingleObject  (136, 0, 0x0, ...
 01706  1856   NtDeviceIoControlFile  (372, 0, 0x0, 0x0, 0x390008,  (372, 0, 0x0, 0x0, 0x390008, "A\275\14L\13\7\2115\205p\20\324\275\323}2M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\375\245QutXf\265\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01707  1956   NtResumeThread  (508, ...
 01708  1856   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01707  1956   NtResumeThread  ... 1, ) == 0x0
 01708  1856   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01709  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01710  1856   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01709  1956   NtAllocateVirtualMemory  ... 59506688, 1048576, ) == 0x0
 01710  1856   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01711  1956   NtAllocateVirtualMemory  (-1, 60547072, 0, 8192, 4096, 4, ...
 01712  1856   NtQuerySystemInformation  (Performance, 312, ...
 01711  1956   NtAllocateVirtualMemory  ... 60547072, 8192, ) == 0x0
 01713  2020   NtTestAlert  (...
 01712  1856   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01713  2020   NtTestAlert  ... ) == 0x0
 01714  1856   NtQuerySystemInformation  (Exception, 16, ...
 01715  2020   NtContinue  (59505968, 1, ...
 01714  1856   NtQuerySystemInformation  ... {system info, class 33, size 16}, 16, ) == 0x0
 01716  2020   NtRegisterThreadTerminatePort  (24, ...
 01717  1856   NtQuerySystemInformation  (Lookaside, 32, ...
 01716  2020   NtRegisterThreadTerminatePort  ... ) == 0x0
 01717  1856   NtQuerySystemInformation  ... {system info, class 45, size 32}, 32, ) == 0x0
 01718  1956   NtProtectVirtualMemory  (-1, (0x39be000), 4096, 260, ...
 01719  1856   NtQuerySystemInformation  (ProcessorStatistics, 3016, ...
 01718  1956   NtProtectVirtualMemory  ... (0x39be000), 4096, 4, ) == 0x0
 01720  2020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01721  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01720  2020   NtDuplicateObject  ... 516, ) == 0x0
 01721  1956   NtCreateThread  ... 520, {1292, 740}, ) == 0x0
 01722  2020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01723  1956   NtQueryInformationThread  (520, Basic, 28, ...
 01722  2020   NtWaitForSingleObject  ... ) == 0x102
 01723  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff89000,Pid=1292,Tid=740,}, 0x0, ) == 0x0
 01724  2020   NtWaitForSingleObject  (136, 0, 0x0, ...
 01719  1856   NtQuerySystemInformation  ... {system info, class 23, size 0}, 0, ) == 0x0
 01725  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58026, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58026, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\14\5\0\0\344\2\0\0" ...  ...
 01726  1856   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01725  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58027, 0}  ... {28, 56, reply, 0, 1292, 1956, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\2\0\0\14\5\0\0\344\2\0\0" )  ) == 0x0
 01726  1856   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01727  1956   NtResumeThread  (520, ...
 01728  1856   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01727  1956   NtResumeThread  ... 1, ) == 0x0
 01728  1856   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01729  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01730  1856   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, ",\350\214\375\205\274\224\234\257\2178\304\205\207\4+P\306\31\345@{\213\254\271\371%\225Mt\334\237D\233H\253w\256r\356\274\265Zu`\355q\326w\340s\33Q\237\332\3776\242\244\224\22\3756]n\234\205%\\314~\354\367a\371\236\204obd", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, ",\350\214\375\205\274\224\234\257\2178\304\205\207\4+P\306\31\345@{\213\254\271\371%\225Mt\334\237D\233H\253w\256r\356\274\265Zu`\355q\326w\340s\33Q\237\332\3776\242\244\224\22\3756]n\234\205%\\314~\354\367a\371\236\204obd", 80, ... , 80, ...
 01731   740   NtTestAlert  (...
 01729  1956   NtAllocateVirtualMemory  ... 60555264, 1048576, ) == 0x0
 01731   740   NtTestAlert  ... ) == 0x0
 01732  1956   NtAllocateVirtualMemory  (-1, 61595648, 0, 8192, 4096, 4, ...
 01733   740   NtContinue  (60554544, 1, ...
 01732  1956   NtAllocateVirtualMemory  ... 61595648, 8192, ) == 0x0
 01734   740   NtRegisterThreadTerminatePort  (24, ...
 01735  1956   NtProtectVirtualMemory  (-1, (0x3abe000), 4096, 260, ...
 01734   740   NtRegisterThreadTerminatePort  ... ) == 0x0
 01735  1956   NtProtectVirtualMemory  ... (0x3abe000), 4096, 4, ) == 0x0
 01730  1856   NtSetValueKey  ... ) == 0x0
 01736  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01737  1856   NtClose  (-2147482132, ...
 01738   740   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01737  1856   NtClose  ... ) == 0x0
 01738   740   NtDuplicateObject  ... 524, ) == 0x0
 01706  1856   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, "\254Cl\270O\337\30a\256\15|\365~\256\353\225h+Tx\33IA;\6\271\237\177\227\376\322\14vfm\256\3739\13i\307(\3\325R\252@F\233y\301p\340(\204\17pm?\25\326O'\226\30\15\210\220\323?\266\363i,\252\2277\204\331\17\301\0\35(+\340y\210\342\243MB@\250m\311\340*\307_E\335q\353B\17\3\31\256\354\210\367R\25\233\243\23\371)L_\347\341M?\37r\371\3759J\346D\231n[f\10\312\271\325\272\256\3159W=\233\177J\247{\265\243\212\271D\317Jv\12\225\321\2265\325`\14\372\211\4 \315\221\200D:Z\220\375\12QB\211+A\232\237O\327\15\20\213T9\357\1\244\16(\362db\341-K7\30`\376\332\350!e\0\262!\324p\272\310\273e\360J\236\322w\17\340\330'\363G\2$\336\1\220\213\227\360J\264z\314k\370C\254\20|\250K^", ) , ) == 0x0
 01739   740   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01740  1856   NtDeviceIoControlFile  (372, 0, 0x0, 0x0, 0x390008,  (372, 0, 0x0, 0x0, 0x390008, "A\275\14L\13\7\2115\205p\20\324\275\323}2M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\253\365M\372\2\201\372\375\245QutXf\265\371\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 256, 256, ... , 256, 256, ...
 01739   740   NtWaitForSingleObject  ... ) == 0x102
 01741  1856   NtQuerySystemInformation  (TimeOfDay, 48, ...
 01742   740   NtWaitForSingleObject  (136, 0, 0x0, ...
 01736  1956   NtCreateThread  ... 528, {1292, 1676}, ) == 0x0
 01741  1856   NtQuerySystemInformation  ... {system info, class 3, size 48}, 48, ) == 0x0
 01743  1956   NtQueryInformationThread  (528, Basic, 28, ...
 01744  1856   NtQuerySystemInformation  (ProcessorTimes, 48, ...
 01743  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff88000,Pid=1292,Tid=1676,}, 0x0, ) == 0x0
 01744  1856   NtQuerySystemInformation  ... {system info, class 8, size 48}, 48, ) == 0x0
 01745  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58027, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58027, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\14\5\0\0\214\6\0\0" ...  ...
 01746  1856   NtQuerySystemInformation  (Performance, 312, ...
 01745  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58028, 0}  ... {28, 56, reply, 0, 1292, 1956, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\20\2\0\0\14\5\0\0\214\6\0\0" )  ) == 0x0
 01746  1856   NtQuerySystemInformation  ... {system info, class 2, size 312}, 312, ) == 0x0
 01747  1856   NtQuerySystemInformation  (Exception, 16, ... {system info, class 33, size 16}, 16, ) == 0x0
 01748  1856   NtQuerySystemInformation  (Lookaside, 32, ... {system info, class 45, size 32}, 32, ) == 0x0
 01749  1856   NtQuerySystemInformation  (ProcessorStatistics, 3016, ... {system info, class 23, size 0}, 0, ) == 0x0
 01750  1856   NtQuerySystemInformation  (ProcessesAndThreads, 3008, ...
 01751  1956   NtResumeThread  (528, ... 1, ) == 0x0
 01752  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 61603840, 1048576, ) == 0x0
 01753  1956   NtAllocateVirtualMemory  (-1, 62644224, 0, 8192, 4096, 4, ... 62644224, 8192, ) == 0x0
 01754  1956   NtProtectVirtualMemory  (-1, (0x3bbe000), 4096, 260, ... (0x3bbe000), 4096, 4, ) == 0x0
 01755  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 532, {1292, 496}, ) == 0x0
 01756  1956   NtQueryInformationThread  (532, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff87000,Pid=1292,Tid=496,}, 0x0, ) == 0x0
 01750  1856   NtQuerySystemInformation  ... ) == STATUS_INFO_LENGTH_MISMATCH
 01757  1676   NtTestAlert  (...
 01758  1856   NtCreateKey  (0x2, {24, 0, 0x240, 0, 0,  (0x2, {24, 0, 0x240, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Cryptography\RNG"}, 0, 0x0, 0, ... }, 0, 0x0, 0, ...
 01757  1676   NtTestAlert  ... ) == 0x0
 01758  1856   NtCreateKey  ... -2147482132, 2, ) == 0x0
 01759  1676   NtContinue  (61603120, 1, ...
 01760  1856   NtSetValueKey  (-2147482132,  (-2147482132, "Seed", 0, 3, "#\345\224\236\0\20j\E\215\246\245\332\362\354\216Z\17\333\231\22yS\353A\372\323\342\23\264\365^(\312\342g\255\260038\203\367\315", 80, ... , 0, 3,  (-2147482132, "Seed", 0, 3, "#\345\224\236\0\20j\E\215\246\245\332\362\354\216Z\17\333\231\22yS\353A\372\323\342\23\264\365^(\312\342g\255\260038\203\367\315", 80, ... \315", 80, ...
 01761  1676   NtRegisterThreadTerminatePort  (24, ...
 01760  1856   NtSetValueKey  ... ) == 0x0
 01761  1676   NtRegisterThreadTerminatePort  ... ) == 0x0
 01762  1856   NtClose  (-2147482132, ...
 01763  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58028, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58028, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\14\5\0\0\360\1\0\0" ...  ...
 01764  1676   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01763  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58029, 0}  ... {28, 56, reply, 0, 1292, 1956, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\24\2\0\0\14\5\0\0\360\1\0\0" )  ) == 0x0
 01764  1676   NtDuplicateObject  ... 536, ) == 0x0
 01765  1956   NtResumeThread  (532, ...
 01766  1676   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01765  1956   NtResumeThread  ... 1, ) == 0x0
 01766  1676   NtWaitForSingleObject  ... ) == 0x102
 01767  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01768  1676   NtWaitForSingleObject  (136, 0, 0x0, ...
 01762  1856   NtClose  ... ) == 0x0
 01769   496   NtTestAlert  (...
 01767  1956   NtAllocateVirtualMemory  ... 62652416, 1048576, ) == 0x0
 01740  1856   NtDeviceIoControlFile  ... {status=0x0, info=256},  ... {status=0x0, info=256}, ".\346\326kS\250L\36\317<\367\303\260\370\267F\10M\206X\321\256\222\261\266\335\300Y\31t6\353 \206Nr\227\3|\367\365\30zy\357u\13\36\225\247\17\31\246X\360\304g\271OG"87\375\1\302\375\352\221\377\367\316\275|o\2\242\35w\3235\10\301\355\314\363\355\276\1Fz\347\253\31\222w\240[\17\260\301y\335C\276\340\371_4\225\202E\6(\33\275\351\276#\375nj\214\230\370d\13\6-\265h&;\353r\356di8\30Uhh\303J0\267:(\365"\377T\331]T=\2662\206\257\345kG\240\336.\11I\344\354\247\317\252, ) 87\375\1\302\375\352\221\377\367\316\275|o\2\242\35w\3235\10\301\355\314\363\355\276\1Fz\347\253\31\222w\240[\17\260\301y\335C\276\340\371_4\225\202E\6(\33\275\351\276#\375nj\214\230\370d\13\6-\265h&;\353r\356di8\30Uhh\303J0\267:(\365 ... {status=0x0, info=256}, ".\346\326kS\250L\36\317<\367\303\260\370\267F\10M\206X\321\256\222\261\266\335\300Y\31t6\353 \206Nr\227\3|\367\365\30zy\357u\13\36\225\247\17\31\246X\360\304g\271OG"87\375\1\302\375\352\221\377\367\316\275|o\2\242\35w\3235\10\301\355\314\363\355\276\1Fz\347\253\31\222w\240[\17\260\301y\335C\276\340\371_4\225\202E\6(\33\275\351\276#\375nj\214\230\370d\13\6-\265h&;\353r\356di8\30Uhh\303J0\267:(\365"\377T\331]T=\2662\206\257\345kG\240\336.\11I\344\354\247\317\252, ) , ) == 0x0
 01769   496   NtTestAlert  ... ) == 0x0
 01770  1956   NtAllocateVirtualMemory  (-1, 63692800, 0, 8192, 4096, 4, ...
 01771  1856   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01772   496   NtContinue  (62651696, 1, ...
 01770  1956   NtAllocateVirtualMemory  ... 63692800, 8192, ) == 0x0
 01771  1856   NtCreateEvent  ... 540, ) == 0x0
 01773   496   NtRegisterThreadTerminatePort  (24, ...
 01774  1956   NtProtectVirtualMemory  (-1, (0x3cbe000), 4096, 260, ...
 01775  1856   NtSetEventBoostPriority  (456, ...
 01773   496   NtRegisterThreadTerminatePort  ... ) == 0x0
 01774  1956   NtProtectVirtualMemory  ... (0x3cbe000), 4096, 4, ) == 0x0
 01563  1068   NtWaitForSingleObject  ... ) == 0x0
 01775  1856   NtSetEventBoostPriority  ... ) == 0x0
 01776  1068   NtAllocateVirtualMemory  (-1, 1392640, 0, 4096, 4096, 4, ...
 01777  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01778   496   NtWaitForSingleObject  (272, 0, 0x0, ...
 01776  1068   NtAllocateVirtualMemory  ... 1392640, 4096, ) == 0x0
 01779  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 01780  1068   NtSetEventBoostPriority  (272, ...
 01777  1956   NtCreateThread  ... 544, {1292, 1020}, ) == 0x0
 01781  1956   NtQueryInformationThread  (544, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff86000,Pid=1292,Tid=1020,}, 0x0, ) == 0x0
 01782  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58029, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\14\5\0\0\374\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\14\5\0\0\374\3\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58030, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58029, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\14\5\0\0\374\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG \2\0\0\14\5\0\0\374\3\0\0" )  ) == 0x0
 01783  1956   NtResumeThread  (544, ... 1, ) == 0x0
 01784  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 63700992, 1048576, ) == 0x0
 01785  1956   NtAllocateVirtualMemory  (-1, 64741376, 0, 8192, 4096, 4, ... 64741376, 8192, ) == 0x0
 01778   496   NtWaitForSingleObject  ... ) == 0x0
 01780  1068   NtSetEventBoostPriority  ... ) == 0x0
 01786  1020   NtTestAlert  (...
 01787   496   NtSetEventBoostPriority  (272, ...
 01788  1068   NtWaitForSingleObject  (272, 0, 0x0, ...
 01786  1020   NtTestAlert  ... ) == 0x0
 01779  1856   NtWaitForSingleObject  ... ) == 0x0
 01787   496   NtSetEventBoostPriority  ... ) == 0x0
 01789  1856   NtSetEventBoostPriority  (272, ...
 01790  1020   NtContinue  (63700272, 1, ...
 01788  1068   NtWaitForSingleObject  ... ) == 0x0
 01789  1856   NtSetEventBoostPriority  ... ) == 0x0
 01791   496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01792  1068   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01793  1020   NtRegisterThreadTerminatePort  (24, ...
 01794  1856   NtConnectPort  ( ("\RPC Control\DNSResolver", {12, 2, 1, 0}, 0x0, 0x0, 12053868, 188, ... , {12, 2, 1, 0}, 0x0, 0x0, 12053868, 188, ...
 01795  1956   NtProtectVirtualMemory  (-1, (0x3dbe000), 4096, 260, ...
 01792  1068   NtCreateEvent  ... 548, ) == 0x0
 01793  1020   NtRegisterThreadTerminatePort  ... ) == 0x0
 01791   496   NtDuplicateObject  ... 552, ) == 0x0
 01795  1956   NtProtectVirtualMemory  ... (0x3dbe000), 4096, 4, ) == 0x0
 01794  1856   NtConnectPort  ... 556, 0x0, 0x0, 0x0, 188, ) == 0x0
 01796  1068   NtConnectPort  ( ("\RPC Control\epmapper", {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ... , {12, 2, 1, 1}, 0x0, 0x0, 11006584, 188, ...
 01797   496   NtAllocateVirtualMemory  (-1, 1396736, 0, 4096, 4096, 4, ...
 01798  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01799  1856   NtRequestWaitReplyPort  (556, {200, 224, new_msg, 0, 1382616, 12, 2, 1310721}  (556, {200, 224, new_msg, 0, 1382616, 12, 2, 1310721} "\0\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\230`\347w\4\0\0\0x\1\24\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0r\350\274\274\31\250\247\260\360B\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\3606\25\0\247\257\202\232x\1\24\0\350B\25\0h\1\24\0\0\0\0\0\0\0\0\0\350B\25\0P\0\0\0\360B\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\267\0\372\31\221|\200\363\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...  ...
 01797   496   NtAllocateVirtualMemory  ... 1396736, 4096, ) == 0x0
 01796  1068   NtConnectPort  ... 560, 0x0, 0x0, 0x0, 188, ) == 0x0
 01800   496   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01801  1068   NtRequestWaitReplyPort  (560, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2}  (560, {200, 224, new_msg, 0, 2883626, 1355840, 12, 2} "\0\1\0\0p\3\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\1\0\4\0\4\0\0\0\240<\24\0\3\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\31\347\346gM\271K\231\10N\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\0\4(\0\0\0\20N\25\0\7\35\316Lp\3\24\00N\25\0`\1\24\0\0\0\0\0\0\0\0\00N\25\0P\0\0\08N\25\0\360\6\221|H\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" ...  ...
 01799  1856   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1292, 1856, 58033, 0}  ... {200, 224, reply, 0, 1292, 1856, 58033, 0} "\7\0\0\0\274\0\0\0x\1\24\0\1kwEVY\205D\237\200\364(\367\326\1)\2\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0x\1\24\0\377\377\377\377\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\2\0\0\0r\350\274\274\31\250\247\260\360B\25\0h\1\24\0\12\0\0\0\0\0\0\0\0\0\0\0(\0\0\0\3606\25\0\247\257\202\232x\1\24\0\350B\25\0h\1\24\0\0\0\0\0\0\0\0\0\350B\25\0P\0\0\0\360B\25\0\360\6\221|x\1\24\0P\0\0\0\346\31\0\0\0\0\24\0\354\353\267\0\372\31\221|\200\363\267\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" )  ) == 0x0
 01800   496   NtWaitForSingleObject  ... ) == 0x102
 01802  1856   NtRequestWaitReplyPort  (556, {44, 68, new_msg, 0, 1292, 1856, 58011, 0}  (556, {44, 68, new_msg, 0, 1292, 1856, 58011, 0} "\1\356\0\0A\2\4\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300\377\377\377\377X\353Q\200\0\0\0\0\0\0\0\0\1\0\0\0" ...  ...
 01801  1068   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1292, 1068, 58034, 0}  ... {200, 224, reply, 0, 1292, 1068, 58034, 0} "\7\1\0\0p\3\24\0\274\0\0\0\10\203\257\341\37]\311\21\221\244\10\0+\24\240\372\3\0\0\0\1\0\0\0\0\0\0\0\4\0\0\0\240<\24\0\377\377\377\377\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\3\0\0\0\31\347\346gM\271K\231\10N\25\0`\1\24\0\12\0\0\0\0\0\0\0\0\0\0\4(\0\0\0\20N\25\0\7\35\316Lp\3\24\00N\25\0`\1\24\0\0\0\0\0\0\0\0\00N\25\0P\0\0\08N\25\0\360\6\221|H\3\24\0P\0\0\0\346\31\0\0\0\0\24\0\370\360\247\0\372\31\221|\214\370\247\0\30\356\220|\0\0\0\0\0\0\0\0\0\0\0\0\351\201\347w" )  ) == 0x0
 01803  1020   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01798  1956   NtCreateThread  ... 564, {1292, 432}, ) == 0x0
 01804   496   NtWaitForSingleObject  (136, 0, 0x0, ...
 01803  1020   NtDuplicateObject  ... 568, ) == 0x0
 01805  1956   NtQueryInformationThread  (564, Basic, 28, ...
 01806  1020   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01805  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff85000,Pid=1292,Tid=432,}, 0x0, ) == 0x0
 01806  1020   NtWaitForSingleObject  ... ) == 0x102
 01807  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58030, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58030, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\14\5\0\0\260\1\0\0" ...  ...
 01808  1020   NtWaitForSingleObject  (136, 0, 0x0, ...
 01807  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58036, 0}  ... {28, 56, reply, 0, 1292, 1956, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG4\2\0\0\14\5\0\0\260\1\0\0" )  ) == 0x0
 01809  1068   NtRequestWaitReplyPort  (560, {44, 68, new_msg, 56, 0, 0, 0, 0}  (560, {44, 68, new_msg, 56, 0, 0, 0, 0} "\1\0\0\0B\2\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\0\0\0\0\1\0\0\0\220T\25\0\322\0\0\0" ...  ...
 01802  1856   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1292, 1856, 58035, 0}  ... {40, 64, reply, 0, 1292, 1856, 58035, 0} "\2\356Q\200\4\0\0\0P\306\233\201\0\220\372\177\220\353\3\370\370\37`\300l\353\3\370X\353Q\200\320\1\0\0X-\12\0" )  ) == 0x0
 01810  1856   NtRequestWaitReplyPort  (556, {64, 88, new_msg, 56, 1373584, 12054380, 12054480, 0}  (556, {64, 88, new_msg, 56, 1373584, 12054380, 12054480, 0} "\10\357\267\0@\0\24\0\346\277\347w\320\357\267\0l\357\267\0\20\0\0\0\250.\362v\4\366\24\0\1\0\0\0\210U\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\30\356\24\0" ...  ...
 01809  1068   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1292, 1068, 58037, 0}  ... {40, 64, reply, 0, 1292, 1068, 58037, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\323\1\0\0\350\370\14\0" )  ) == 0x0
 01811  1068   NtRequestWaitReplyPort  (560, {64, 88, new_msg, 56, 1310720, 11006452, 1397896, 0}  (560, {64, 88, new_msg, 56, 1310720, 11006452, 1397896, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0`W\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01810  1856   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1292, 1856, 58038, 0}  ... {64, 88, reply, 56, 1292, 1856, 58038, 0} "\10\357\267\0@\0\24\0\346\277\347w\320\357\267\0l\357\267\0\20\0\0\0\250.\362v\4\366\24\0\1\0\0\0\210U\25\0\320\1\0\0\320\1\0\0X-\12\0\0\0\0\0\0\0\0\0\30\356\24\0" )  ) == 0x0
 01812  1856   NtClose  (540, ...
 01811  1068   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1292, 1068, 58039, 0}  ... {64, 88, reply, 56, 1292, 1068, 58039, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0`W\25\0\323\1\0\0\323\1\0\0\350\370\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01813  1956   NtResumeThread  (564, ...
 01812  1856   NtClose  ... ) == 0x0
 01813  1956   NtResumeThread  ... 1, ) == 0x0
 01814  1856   NtClose  (556, ...
 01815  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01814  1856   NtClose  ... ) == 0x0
 01815  1956   NtAllocateVirtualMemory  ... 64749568, 1048576, ) == 0x0
 01816  1856   NtCreateKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... }, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, 0, "Class", 0, ... , 0, ...
 01817  1956   NtAllocateVirtualMemory  (-1, 65789952, 0, 8192, 4096, 4, ...
 01816  1856   NtCreateKey  ... 556, 2, ) == 0x0
 01817  1956   NtAllocateVirtualMemory  ... 65789952, 8192, ) == 0x0
 01818  1856   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\DnsCache\Parameters"}, ... }, ...
 01819  1068   NtRequestWaitReplyPort  (560, {44, 68, new_msg, 56, 1292, 1068, 58037, 0}  (560, {44, 68, new_msg, 56, 1292, 1068, 58037, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\220T\25\0\322\0\0\0" ...  ...
 01820   432   NtTestAlert  (...
 01821  1956   NtProtectVirtualMemory  (-1, (0x3ebe000), 4096, 260, ...
 01820   432   NtTestAlert  ... ) == 0x0
 01821  1956   NtProtectVirtualMemory  ... (0x3ebe000), 4096, 4, ) == 0x0
 01819  1068   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1292, 1068, 58041, 0}  ... {40, 64, reply, 0, 1292, 1068, 58041, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0\351\1\0\0\350\232\14\0" )  ) == 0x0
 01822   432   NtContinue  (64748848, 1, ...
 01823  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01824  1068   NtRequestWaitReplyPort  (560, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (560, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0X]\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01825   432   NtRegisterThreadTerminatePort  (24, ...
 01823  1956   NtCreateThread  ... 540, {1292, 1332}, ) == 0x0
 01825   432   NtRegisterThreadTerminatePort  ... ) == 0x0
 01826  1956   NtQueryInformationThread  (540, Basic, 28, ...
 01824  1068   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1292, 1068, 58042, 0}  ... {64, 88, reply, 56, 1292, 1068, 58042, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0X]\25\0\351\1\0\0\351\1\0\0\350\232\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01818  1856   NtOpenKey  ... 572, ) == 0x0
 01826  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff84000,Pid=1292,Tid=1332,}, 0x0, ) == 0x0
 01827   432   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01828  1856   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\Windows NT\DnsClient"}, ... }, ...
 01829  1068   NtRequestWaitReplyPort  (560, {44, 68, new_msg, 56, 1292, 1068, 58041, 0}  (560, {44, 68, new_msg, 56, 1292, 1068, 58041, 0} "\1\246\0\0B\2\3\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\377\377\377\377\2\0\0\0\1\0\0\0\220T\25\0\322\0\0\0" ...  ...
 01827   432   NtDuplicateObject  ... 576, ) == 0x0
 01828  1856   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01830   432   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01831  1856   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "Software\Policies\Microsoft\System\DNSClient"}, ... }, ...
 01829  1068   NtRequestWaitReplyPort  ... {40, 64, reply, 0, 1292, 1068, 58043, 0}  ... {40, 64, reply, 0, 1292, 1068, 58043, 0} "\2\246\200|\4\0\0\0\0\0\0\0\4\377}\0(\345\12\0\0\0\0\0\230\376}\0\2\0\0\0|\1\0\0h\236\14\0" )  ) == 0x0
 01830   432   NtWaitForSingleObject  ... ) == 0x102
 01831  1856   NtOpenKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01832  1068   NtAllocateVirtualMemory  (-1, 1400832, 0, 4096, 4096, 4, ...
 01833   432   NtWaitForSingleObject  (136, 0, 0x0, ...
 01834  1856   NtQueryValueKey  (556,  (556, "Domain", Partial, 144, ... , Partial, 144, ...
 01832  1068   NtAllocateVirtualMemory  ... 1400832, 4096, ) == 0x0
 01835  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58036, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58036, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\14\5\0\04\5\0\0" ...  ...
 01836  1068   NtRequestWaitReplyPort  (560, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0}  (560, {64, 88, new_msg, 56, 1310720, 11006452, 11007196, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\10`\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" ...  ...
 01835  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58044, 0}  ... {28, 56, reply, 0, 1292, 1956, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\34\2\0\0\14\5\0\04\5\0\0" )  ) == 0x0
 01834  1856   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01837  1956   NtResumeThread  (540, ...
 01838  1856   NtQueryValueKey  (556,  (556, "Domain", Partial, 144, ... , Partial, 144, ...
 01837  1956   NtResumeThread  ... 1, ) == 0x0
 01838  1856   NtQueryValueKey  ... TitleIdx=0, Type=1, Data= ... TitleIdx=0, Type=1, Data="\0\0"}, 14, ) }, 14, ) == 0x0
 01839  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01840  1856   NtClose  (556, ...
 01836  1068   NtRequestWaitReplyPort  ... {64, 88, reply, 56, 1292, 1068, 58045, 0}  ... {64, 88, reply, 56, 1292, 1068, 58045, 0} "\10\356\220|@\0\1\0\34\0\0\0p\363\247\0\351\201\347w\214\370\247\0\30\356\220|p\5\221|\1\0\0\0\10`\25\0|\1\0\0|\1\0\0h\236\14\0\0\0\0\0\0\0\0\0\273f\347w" )  ) == 0x0
 01841  1332   NtAllocateVirtualMemory  (-1, 8806400, 0, 4096, 4096, 4, ...
 01840  1856   NtClose  ... ) == 0x0
 01842  1068   NtClose  (548, ...
 01841  1332   NtAllocateVirtualMemory  ... 8806400, 4096, ) == 0x0
 01843  1856   NtClose  (572, ...
 01842  1068   NtClose  ... ) == 0x0
 01844  1332   NtTestAlert  (...
 01839  1956   NtAllocateVirtualMemory  ... 65798144, 1048576, ) == 0x0
 01845  1068   NtClose  (560, ...
 01844  1332   NtTestAlert  ... ) == 0x0
 01846  1956   NtAllocateVirtualMemory  (-1, 66838528, 0, 8192, 4096, 4, ...
 01845  1068   NtClose  ... ) == 0x0
 01847  1332   NtContinue  (65797424, 1, ...
 01846  1956   NtAllocateVirtualMemory  ... 66838528, 8192, ) == 0x0
 01843  1856   NtClose  ... ) == 0x0
 01848  1068   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01849  1956   NtProtectVirtualMemory  (-1, (0x3fbe000), 4096, 260, ...
 01850  1856   NtOpenKey  (0x1, {24, 28, 0x40, 0, 0,  (0x1, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\Tcpip\Parameters"}, ... }, ...
 01848  1068   NtCreateEvent  ... 572, ) == 0x0
 01849  1956   NtProtectVirtualMemory  ... (0x3fbe000), 4096, 4, ) == 0x0
 01850  1856   NtOpenKey  ... 560, ) == 0x0
 01851  1068   NtOpenKey  (0x20019, {24, 0, 0x40, 0, 0,  (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\ComputerName"}, ... }, ...
 01852  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01853  1856   NtQueryValueKey  (560,  (560, "DnsNbtLookupOrder", Partial, 144, ... , Partial, 144, ...
 01851  1068   NtOpenKey  ... 548, ) == 0x0
 01854  1332   NtRegisterThreadTerminatePort  (24, ...
 01853  1856   NtQueryValueKey  ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01855  1068   NtOpenKey  (0x20019, {24, 548, 0x40, 0, 0,  (0x20019, {24, 548, 0x40, 0, 0, "ActiveComputerName"}, ... }, ...
 01854  1332   NtRegisterThreadTerminatePort  ... ) == 0x0
 01856  1856   NtClose  (560, ...
 01855  1068   NtOpenKey  ... 556, ) == 0x0
 01857  1332   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01852  1956   NtCreateThread  ... 580, {1292, 752}, ) == 0x0
 01856  1856   NtClose  ... ) == 0x0
 01857  1332   NtDuplicateObject  ... 560, ) == 0x0
 01858  1956   NtQueryInformationThread  (580, Basic, 28, ...
 01859  1856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12053456, ... }, 12053456, ...
 01860  1332   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 01858  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff83000,Pid=1292,Tid=752,}, 0x0, ) == 0x0
 01859  1856   NtQueryAttributesFile  ... ) == 0x0
 01861  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58044, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58044, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\14\5\0\0\360\2\0\0" ...  ...
 01862  1856   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01861  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58048, 0}  ... {28, 56, reply, 0, 1292, 1956, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGD\2\0\0\14\5\0\0\360\2\0\0" )  ) == 0x0
 01862  1856   NtOpenFile  ... 584, {status=0x0, info=1}, ) == 0x0
 01863  1068   NtQueryValueKey  (556,  (556, "ComputerName", Full, 108, ... , Full, 108, ...
 01860  1332   NtWaitForSingleObject  ... ) == 0x102
 01864  1856   NtCreateSection  (0xe, 0x0, 0x0, 16, 134217728, 584, ...
 01863  1068   NtQueryValueKey  ... TitleIdx=0, Type=1, Name= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) , Data= ... TitleIdx=0, Type=1, Name="ComputerName", Data="V\0I\0R\0T\0U\0A\0L\0\0\0"}, 60, ) }, 60, ) == 0x0
 01865  1332   NtWaitForSingleObject  (136, 0, 0x0, ...
 01866  1956   NtResumeThread  (580, ...
 01867  1068   NtClose  (556, ...
 01866  1956   NtResumeThread  ... 1, ) == 0x0
 01867  1068   NtClose  ... ) == 0x0
 01868  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01869  1068   NtClose  (548, ...
 01868  1956   NtAllocateVirtualMemory  ... 66846720, 1048576, ) == 0x0
 01869  1068   NtClose  ... ) == 0x0
 01870  1956   NtAllocateVirtualMemory  (-1, 67887104, 0, 8192, 4096, 4, ...
 01864  1856   NtCreateSection  ... 548, ) == 0x0
 01871   752   NtWaitForSingleObject  (88, 0, 0x0, ...
 01870  1956   NtAllocateVirtualMemory  ... 67887104, 8192, ) == 0x0
 01872  1856   NtClose  (584, ...
 01873  1068   NtCreateIoCompletion  (0x1f0003, 0x0, 0, ...
 01872  1856   NtClose  ... ) == 0x0
 01873  1068   NtCreateIoCompletion  ... 584, ) == 0x0
 01874  1856   NtMapViewOfSection  (548, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ...
 01875  1068   NtCreateIoCompletion  (0x1f0003, 0x0, -1, ...
 01874  1856   NtMapViewOfSection  ... (0x850000), 0x0, 20480, ) == 0x0
 01875  1068   NtCreateIoCompletion  ... 556, ) == 0x0
 01876  1856   NtClose  (548, ...
 01877  1068   NtDuplicateObject  (-1, 584, -1, 0x0, 0, 2, ...
 01878  1956   NtProtectVirtualMemory  (-1, (0x40be000), 4096, 260, ...
 01877  1068   NtDuplicateObject  ... 588, ) == 0x0
 01878  1956   NtProtectVirtualMemory  ... (0x40be000), 4096, 4, ) == 0x0
 01876  1856   NtClose  ... ) == 0x0
 01879  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 548, {1292, 120}, ) == 0x0
 01880  1956   NtQueryInformationThread  (548, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff82000,Pid=1292,Tid=120,}, 0x0, ) == 0x0
 01881  1856   NtUnmapViewOfSection  (-1, 0x850000, ...
 01882  1068   NtOpenThreadToken  (-2, 0xc, 1, ...
 01881  1856   NtUnmapViewOfSection  ... ) == 0x0
 01882  1068   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01883  1856   NtQueryAttributesFile  ({24, 0, 0x40, 0, 0,  ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 12053764, ... }, 12053764, ...
 01884  1068   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01885  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58048, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58048, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\14\5\0\0x\0\0\0" ...  ...
 01884  1068   NtCreateEvent  ... 592, ) == 0x0
 01885  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58049, 0}  ... {28, 56, reply, 0, 1292, 1956, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG$\2\0\0\14\5\0\0x\0\0\0" )  ) == 0x0
 01886  1068   NtOpenThreadToken  (-2, 0xc, 1, ...
 01887  1956   NtResumeThread  (548, ...
 01886  1068   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01887  1956   NtResumeThread  ... 1, ) == 0x0
 01883  1856   NtQueryAttributesFile  ... ) == 0x0
 01888  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01889  1856   NtOpenFile  (0x100020, {24, 0, 0x40, 0, 0,  (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\System32\winrnr.dll"}, 5, 96, ... }, 5, 96, ...
 01890  1068   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01891   120   NtWaitForSingleObject  (88, 0, 0x0, ...
 01889  1856   NtOpenFile  ... 596, {status=0x0, info=1}, ) == 0x0
 01890  1068   NtSetInformationThread  ... ) == 0x0
 01892  1856   NtCreateSection  (0xf, 0x0, 0x0, 16, 16777216, 596, ...
 01893  1068   NtCreateFile  (0xc0100080, {24, 0, 0x40, 0, 11006144,  (0xc0100080, {24, 0, 0x40, 0, 11006144, "\??\PIPE\lsarpc"}, 0x0, 0, 3, 1, 64, 0, 0, ... }, 0x0, 0, 3, 1, 64, 0, 0, ...
 01892  1856   NtCreateSection  ... 600, ) == 0x0
 01893  1068   NtCreateFile  ... 604, {status=0x0, info=1}, ) == 0x0
 01894  1856   NtQuerySection  (600, Image, 48, ...
 01895  1068   NtSetInformationFile  (604, 11006200, 8, Pipe, ...
 01888  1956   NtAllocateVirtualMemory  ... 67895296, 1048576, ) == 0x0
 01896  1956   NtAllocateVirtualMemory  (-1, 68935680, 0, 8192, 4096, 4, ... 68935680, 8192, ) == 0x0
 01897  1956   NtProtectVirtualMemory  (-1, (0x41be000), 4096, 260, ... (0x41be000), 4096, 4, ) == 0x0
 01898  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 608, {1292, 1732}, ) == 0x0
 01899  1956   NtQueryInformationThread  (608, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff81000,Pid=1292,Tid=1732,}, 0x0, ) == 0x0
 01900  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58049, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\14\5\0\0\304\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\14\5\0\0\304\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58050, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58049, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\14\5\0\0\304\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG`\2\0\0\14\5\0\0\304\6\0\0" )  ) == 0x0
 01895  1068   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01894  1856   NtQuerySection  ... {section info, class 1, size 48}, 0x0, ) == 0x0
 01901  1068   NtSetInformationFile  (604, 11006188, 8, Completion, ...
 01902  1856   NtClose  (596, ...
 01901  1068   NtSetInformationFile  ... {status=0x0, info=0}, ) == 0x0
 01902  1856   NtClose  ... ) == 0x0
 01903  1068   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01904  1856   NtMapViewOfSection  (600, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01903  1068   NtSetInformationThread  ... ) == 0x0
 01904  1856   NtMapViewOfSection  ... (0x76fb0000), 0x0, 32768, ) == 0x0
 01905  1068   NtWriteFile  (604, 245, 0, 0,  (604, 245, 0, 0, "\5\0\13\3\20\0\0\0H\0\0\0\1\0\0\0\270\20\270\20\0\0\0\0\1\0\0\0\0\0\1\0xW4\224\22\315\253\357\0\1#Eg\211\253\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", 72, {0, 0}, 0, ... , 72, {0, 0}, 0, ...
 01906  1856   NtClose  (600, ...
 01907  1956   NtResumeThread  (608, ...
 01905  1068   NtWriteFile  ... {status=0x0, info=72}, ) == 0x0
 01907  1956   NtResumeThread  ... 1, ) == 0x0
 01908  1068   NtReadFile  (604, 245, 0, 0, 1024, {0, 0}, 0, ...
 01909  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01908  1068   NtReadFile  ... {status=0x0, info=68},  ... {status=0x0, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x0
 01909  1956   NtAllocateVirtualMemory  ... 68943872, 1048576, ) == 0x0
 01910  1068   NtFsControlFile  (604, 245, 0x0, 0x0, 0x11c017,  (604, 245, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0@\0\0\0\1\0\0\0(\0\0\0\0\0,\0\0\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\210\367\247\0\14\0\0\0\2\0\1\0\0\10\0\0", 64, 1024, ... , 64, 1024, ...
 01911  1956   NtAllocateVirtualMemory  (-1, 69984256, 0, 8192, 4096, 4, ...
 01910  1068   NtFsControlFile  ... {status=0x103, info=68},  ... {status=0x103, info=68}, "\5\0\14\3\20\0\0\0D\0\0\0\1\0\0\0\270\20\270\20++\0\0\14\0\PIPE\lsass\0\0\0\1\0\0\0\0\0\0\0\4]\210\212\353\34\311\21\237\350\10\0+\20H`\2\0\0\0", ) , ) == 0x103
 01911  1956   NtAllocateVirtualMemory  ... 69984256, 8192, ) == 0x0
 01912  1068   NtFsControlFile  (604, 245, 0x0, 0x0, 0x11c017,  (604, 245, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0\210\0\0\0\2\0\0\0p\0\0\0\0\0D\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\1\0\0\0\1\0\0\0&\0(\0`C\25\0\24\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0u\0t\0h\0o\0r\0i\0t\0y\0\\0s\0y\0s\0t\0e\0m\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\2\0\0\0", 136, 1024, ... , 136, 1024, ...
 01906  1856   NtClose  ... ) == 0x0
 01913  1732   NtWaitForSingleObject  (88, 0, 0x0, ...
 01914  1956   NtProtectVirtualMemory  (-1, (0x42be000), 4096, 260, ...
 01915  1856   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01914  1956   NtProtectVirtualMemory  ... (0x42be000), 4096, 4, ) == 0x0
 01915  1856   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01916  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01917  1856   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01916  1956   NtCreateThread  ... 600, {1292, 188}, ) == 0x0
 01912  1068   NtFsControlFile  ... {status=0x103, info=48},  ... {status=0x103, info=48}, "\5\0\2\3\20\0\0\00\0\0\0\1\0\0\0\30\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse\0\0\0\0", ) , ) == 0x103
 01918  1956   NtQueryInformationThread  (600, Basic, 28, ...
 01919  1068   NtFsControlFile  (604, 245, 0x0, 0x0, 0x11c017,  (604, 245, 0x0, 0x0, 0x11c017, "\5\0\0\3\20\0\0\0,\0\0\0\3\0\0\0\24\0\0\0\0\0\0\0\0\0\0\0\266\275.l\215\373FC\227[\347p\214Nse", 44, 1024, ... , 44, 1024, ...
 01918  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff80000,Pid=1292,Tid=188,}, 0x0, ) == 0x0
 01919  1068   NtFsControlFile  ... {status=0x103, info=156},  ... {status=0x103, info=156}, "\5\0\2\3\20\0\0\0\234\0\0\0\2\0\0\0\204\0\0\0\0\0\0\0\260\\25\0\1\0\0\0\274\\25\0 \0\0\0\1\0\0\0\30\0\32\0\310\\25\0\344\\25\0\15\0\0\0\0\0\0\0\14\0\0\0N\0T\0 \0A\0U\0T\0H\0O\0R\0I\0T\0Y\0\0\0\0\0\1\0\0\0\0\0\0\5\1\0\0\0\300A\25\0\1\0\0\0\5\0i\0\320A\25\0\0\0\0\0\0\0\0\0\1\0\0\0\1\1\0\0\0\0\0\5\22\0\0\0\1\0\0\0\0\0\0\0", ) , ) == 0x103
 01917  1856   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01920  1068   NtClose  (592, ...
 01921  1856   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01920  1068   NtClose  ... ) == 0x0
 01921  1856   NtFlushInstructionCache  ... ) == 0x0
 01922  1068   NtClose  (604, ...
 01923  1856   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ...
 01924  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58050, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58050, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\14\5\0\0\274\0\0\0" ...  ...
 01923  1856   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 32, ) == 0x0
 01924  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58051, 0}  ... {28, 56, reply, 0, 1292, 1956, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGX\2\0\0\14\5\0\0\274\0\0\0" )  ) == 0x0
 01925  1856   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ...
 01926  1956   NtResumeThread  (600, ...
 01922  1068   NtClose  ... ) == 0x0
 01926  1956   NtResumeThread  ... 1, ) == 0x0
 01927  1068   NtSecureConnectPort  ( ("\RPC Control\unimdmsvc", {12, 2, 1, 1}, 0x0, 1382616, 0x0, 11008068, 188, ... , {12, 2, 1, 1}, 0x0, 1382616, 0x0, 11008068, 188, ...
 01928  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01927  1068   NtSecureConnectPort  ... 604, 0x0, 0x0, 0x0, 188, ) == 0x0
 01925  1856   NtProtectVirtualMemory  ... (0x76fb1000), 4096, 4, ) == 0x0
 01929   188   NtWaitForSingleObject  (88, 0, 0x0, ...
 01930  1068   NtOpenThreadToken  (-2, 0xc, 1, ...
 01931  1856   NtFlushInstructionCache  (-1, 1996165120, 232, ...
 01930  1068   NtOpenThreadToken  ... ) == STATUS_NO_TOKEN
 01931  1856   NtFlushInstructionCache  ... ) == 0x0
 01928  1956   NtAllocateVirtualMemory  ... 69992448, 1048576, ) == 0x0
 01932  1856   NtOpenSection  (0xe, {24, 8, 0x40, 0, 0,  (0xe, {24, 8, 0x40, 0, 0, "WLDAP32.dll"}, ... }, ...
 01933  1956   NtAllocateVirtualMemory  (-1, 71032832, 0, 8192, 4096, 4, ...
 01932  1856   NtOpenSection  ... 592, ) == 0x0
 01933  1956   NtAllocateVirtualMemory  ... 71032832, 8192, ) == 0x0
 01934  1856   NtMapViewOfSection  (592, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ...
 01935  1956   NtProtectVirtualMemory  (-1, (0x43be000), 4096, 260, ...
 01936  1068   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01935  1956   NtProtectVirtualMemory  ... (0x43be000), 4096, 4, ) == 0x0
 01936  1068   NtSetInformationThread  ... ) == 0x0
 01937  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 01938  1068   NtRequestWaitReplyPort  (604, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977}  (604, {200, 224, new_msg, 0, 1355840, 12, 2, 1310977} "\0\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\230`\347w\26\0\0\0\4\0\0\0\10\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\371o\%\277\260\277W\354\210B\2166~\204\366\12\0\0\0]L \366\233\220\314\245\0\0\0\0\0$\25\0\27\267\361k_5w\213(\0\0\0\307W\0\244\0\0\24\0\240\366\247\0\312 \5"\0\0\0\08N\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ... \0\0\0\08N\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ...
 01934  1856   NtMapViewOfSection  ... (0x76f60000), 0x0, 180224, ) == 0x0
 01939  1856   NtClose  (592, ... ) == 0x0
 01940  1856   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ... (0x76f61000), 4096, 32, ) == 0x0
 01941  1856   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01938  1068   NtRequestWaitReplyPort  ... {200, 224, reply, 0, 1292, 1068, 58053, 0}  ... {200, 224, reply, 0, 1292, 1068, 58053, 0} "\7\0\0\0\274\0\0\0\0\0\0\03\242t\326)X\335I\220\360`\317\234\353q)\1\0\0\0\1\0\0\0\0\0\0\0\26\0\0\0\4\0\0\0\0\0\0\0\5\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\4\0\0\0\371o\%\277\260\277W\354\210B\2166~\204\366\12\0\0\0]L \366\233\220\314\245\0\0\0\0\0$\25\0\27\267\361k_5w\213(\0\0\0\307W\0\244\0\0\24\0\240\366\247\0\312 \5"\0\0\0\08N\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) \0\0\0\08N\25\0\360\6\221|\377\377\377\377P\0\0\0\346\31\0|\0\0\24\0\304\366\247\0\372\31\221|X\376\247\0\30\356\220|\360\6\221|\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0" ) == 0x0
 01937  1956   NtCreateThread  ... 592, {1292, 1636}, ) == 0x0
 01942  1068   NtSetInformationThread  (-2, ImpersonationToken, {ImpToken=0,}, 4, ...
 01943  1956   NtQueryInformationThread  (592, Basic, 28, ...
 01941  1856   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 01943  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff7f000,Pid=1292,Tid=1636,}, 0x0, ) == 0x0
 01944  1856   NtFlushInstructionCache  (-1, 1995837440, 228, ...
 01945  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58051, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58051, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\14\5\0\0d\6\0\0" ...  ...
 01944  1856   NtFlushInstructionCache  ... ) == 0x0
 01945  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58054, 0}  ... {28, 56, reply, 0, 1292, 1956, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGP\2\0\0\14\5\0\0d\6\0\0" )  ) == 0x0
 01946  1856   NtProtectVirtualMemory  (-1, (0x76f61000), 228, 4, ...
 01942  1068   NtSetInformationThread  ... ) == 0x0
 01946  1856   NtProtectVirtualMemory  ... (0x76f61000), 4096, 32, ) == 0x0
 01947  1068   NtRequestWaitReplyPort  (604, {56, 80, new_msg, 0, 44, 3, 20, 0}  (604, {56, 80, new_msg, 0, 44, 3, 20, 0} "\1\0\0\0A\2\2\0\215\373FC\227[\347p\214Nse\1\0\0\0\0\0\0\0&\0(\0\240\1\0\0\0\0\0\0\0\0\0\0\23\0\0\0n\0t\0 \0a\0" ...  ...
 01948  1856   NtProtectVirtualMemory  (-1, (0x76f61000), 4096, 32, ...
 01949  1956   NtResumeThread  (592, ... 1, ) == 0x0
 01950  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 71041024, 1048576, ) == 0x0
 01951  1956   NtAllocateVirtualMemory  (-1, 72081408, 0, 8192, 4096, 4, ... 72081408, 8192, ) == 0x0
 01952  1956   NtProtectVirtualMemory  (-1, (0x44be000), 4096, 260, ... (0x44be000), 4096, 4, ) == 0x0
 01953  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 596, {1292, 624}, ) == 0x0
 01954  1956   NtQueryInformationThread  (596, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7e000,Pid=1292,Tid=624,}, 0x0, ) == 0x0
 01948  1856   NtProtectVirtualMemory  ... (0x76f61000), 4096, 4, ) == 0x0
 01955  1636   NtWaitForSingleObject  (88, 0, 0x0, ...
 01956  1856   NtFlushInstructionCache  (-1, 1995837440, 228, ... ) == 0x0
 01957  1856   NtProtectVirtualMemory  (-1, (0x76fb1000), 232, 4, ... (0x76fb1000), 4096, 32, ) == 0x0
 01958  1856   NtProtectVirtualMemory  (-1, (0x76fb1000), 4096, 32, ... (0x76fb1000), 4096, 4, ) == 0x0
 01959  1856   NtFlushInstructionCache  (-1, 1996165120, 232, ... ) == 0x0
 01960  1856   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01961  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58054, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\14\5\0\0p\2\0\0" ... {28, 56, reply, 0, 1292, 1956, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\14\5\0\0p\2\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58056, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58054, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\14\5\0\0p\2\0\0" ... {28, 56, reply, 0, 1292, 1956, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\2\0\0\14\5\0\0p\2\0\0" )  ) == 0x0
 01962  1956   NtResumeThread  (596, ... 1, ) == 0x0
 01963  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01964  1856   NtCreateEvent  (0x1f0003, 0x0, 1, 0, ...
 01965   624   NtWaitForSingleObject  (88, 0, 0x0, ...
 01964  1856   NtCreateEvent  ... 612, ) == 0x0
 01966  1856   NtOpenKey  (0x20019, {24, 28, 0x40, 0, 0,  (0x20019, {24, 28, 0x40, 0, 0, "System\CurrentControlSet\Services\LDAP"}, ... 616, ) }, ... 616, ) == 0x0
 01967  1856   NtQueryValueKey  (616,  (616, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 144, ... TitleIdx=0, Type=4, Data= (616, "LdapClientIntegrity", Partial, 144, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0
 01968  1856   NtClose  (616, ... ) == 0x0
 01969  1856   NtOpenKey  (0x80000000, {24, 0, 0x40, 0, 0,  (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrnr.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND
 01963  1956   NtAllocateVirtualMemory  ... 72089600, 1048576, ) == 0x0
 01970  1956   NtAllocateVirtualMemory  (-1, 73129984, 0, 8192, 4096, 4, ... 73129984, 8192, ) == 0x0
 01971  1956   NtProtectVirtualMemory  (-1, (0x45be000), 4096, 260, ... (0x45be000), 4096, 4, ) == 0x0
 01972  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 616, {1292, 1948}, ) == 0x0
 01973  1956   NtQueryInformationThread  (616, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7d000,Pid=1292,Tid=1948,}, 0x0, ) == 0x0
 01974  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58056, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\14\5\0\0\234\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\14\5\0\0\234\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58057, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58056, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\14\5\0\0\234\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGh\2\0\0\14\5\0\0\234\7\0\0" )  ) == 0x0
 01975  1956   NtResumeThread  (616, ... 1, ) == 0x0
 01976  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 73138176, 1048576, ) == 0x0
 01977  1956   NtAllocateVirtualMemory  (-1, 74178560, 0, 8192, 4096, 4, ... 74178560, 8192, ) == 0x0
 01978  1948   NtWaitForSingleObject  (88, 0, 0x0, ...
 01979  1956   NtProtectVirtualMemory  (-1, (0x46be000), 4096, 260, ... (0x46be000), 4096, 4, ) == 0x0
 01980  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 620, {1292, 988}, ) == 0x0
 01981  1956   NtQueryInformationThread  (620, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7c000,Pid=1292,Tid=988,}, 0x0, ) == 0x0
 01982  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58057, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\14\5\0\0\334\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\14\5\0\0\334\3\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58058, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58057, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\14\5\0\0\334\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGl\2\0\0\14\5\0\0\334\3\0\0" )  ) == 0x0
 01983  1956   NtResumeThread  (620, ... 1, ) == 0x0
 01984  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 01985   988   NtWaitForSingleObject  (88, 0, 0x0, ...
 01984  1956   NtAllocateVirtualMemory  ... 74186752, 1048576, ) == 0x0
 01986  1956   NtAllocateVirtualMemory  (-1, 75227136, 0, 8192, 4096, 4, ... 75227136, 8192, ) == 0x0
 01987  1956   NtProtectVirtualMemory  (-1, (0x47be000), 4096, 260, ... (0x47be000), 4096, 4, ) == 0x0
 01988  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 624, {1292, 468}, ) == 0x0
 01989  1956   NtQueryInformationThread  (624, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7b000,Pid=1292,Tid=468,}, 0x0, ) == 0x0
 01990  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58058, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\14\5\0\0\324\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\14\5\0\0\324\1\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58059, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58058, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\14\5\0\0\324\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGp\2\0\0\14\5\0\0\324\1\0\0" )  ) == 0x0
 01991  1956   NtResumeThread  (624, ... 1, ) == 0x0
 01992  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 75235328, 1048576, ) == 0x0
 01993  1956   NtAllocateVirtualMemory  (-1, 76275712, 0, 8192, 4096, 4, ... 76275712, 8192, ) == 0x0
 01994   468   NtWaitForSingleObject  (88, 0, 0x0, ...
 01995  1956   NtProtectVirtualMemory  (-1, (0x48be000), 4096, 260, ... (0x48be000), 4096, 4, ) == 0x0
 01996  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 628, {1292, 380}, ) == 0x0
 01997  1956   NtQueryInformationThread  (628, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff7a000,Pid=1292,Tid=380,}, 0x0, ) == 0x0
 01998  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58059, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\14\5\0\0|\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\14\5\0\0|\1\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58060, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58059, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\14\5\0\0|\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGt\2\0\0\14\5\0\0|\1\0\0" )  ) == 0x0
 01999  1956   NtResumeThread  (628, ... 1, ) == 0x0
 02000  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02001   380   NtWaitForSingleObject  (88, 0, 0x0, ...
 02000  1956   NtAllocateVirtualMemory  ... 76283904, 1048576, ) == 0x0
 02002  1956   NtAllocateVirtualMemory  (-1, 77324288, 0, 8192, 4096, 4, ... 77324288, 8192, ) == 0x0
 02003  1956   NtProtectVirtualMemory  (-1, (0x49be000), 4096, 260, ... (0x49be000), 4096, 4, ) == 0x0
 02004  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 632, {1292, 1692}, ) == 0x0
 02005  1956   NtQueryInformationThread  (632, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff79000,Pid=1292,Tid=1692,}, 0x0, ) == 0x0
 02006  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58060, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\14\5\0\0\234\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\14\5\0\0\234\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58061, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58060, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\14\5\0\0\234\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\2\0\0\14\5\0\0\234\6\0\0" )  ) == 0x0
 02007  1956   NtResumeThread  (632, ... 1, ) == 0x0
 02008  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 77332480, 1048576, ) == 0x0
 02009  1956   NtAllocateVirtualMemory  (-1, 78372864, 0, 8192, 4096, 4, ... 78372864, 8192, ) == 0x0
 02010  1692   NtWaitForSingleObject  (88, 0, 0x0, ...
 02011  1956   NtProtectVirtualMemory  (-1, (0x4abe000), 4096, 260, ... (0x4abe000), 4096, 4, ) == 0x0
 02012  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 636, {1292, 1792}, ) == 0x0
 02013  1956   NtQueryInformationThread  (636, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff78000,Pid=1292,Tid=1792,}, 0x0, ) == 0x0
 02014  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58061, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\14\5\0\0\0\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\14\5\0\0\0\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58062, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58061, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\14\5\0\0\0\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG|\2\0\0\14\5\0\0\0\7\0\0" )  ) == 0x0
 02015  1956   NtResumeThread  (636, ... 1, ) == 0x0
 02016  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02017  1792   NtWaitForSingleObject  (88, 0, 0x0, ...
 02016  1956   NtAllocateVirtualMemory  ... 78381056, 1048576, ) == 0x0
 02018  1956   NtAllocateVirtualMemory  (-1, 79421440, 0, 8192, 4096, 4, ... 79421440, 8192, ) == 0x0
 02019  1956   NtProtectVirtualMemory  (-1, (0x4bbe000), 4096, 260, ... (0x4bbe000), 4096, 4, ) == 0x0
 02020  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 640, {1292, 784}, ) == 0x0
 02021  1956   NtQueryInformationThread  (640, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff77000,Pid=1292,Tid=784,}, 0x0, ) == 0x0
 02022  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58062, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\14\5\0\0\20\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\14\5\0\0\20\3\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58063, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58062, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\14\5\0\0\20\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\200\2\0\0\14\5\0\0\20\3\0\0" )  ) == 0x0
 02023  1956   NtResumeThread  (640, ... 1, ) == 0x0
 02024  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 79429632, 1048576, ) == 0x0
 02025  1956   NtAllocateVirtualMemory  (-1, 80470016, 0, 8192, 4096, 4, ... 80470016, 8192, ) == 0x0
 02026   784   NtWaitForSingleObject  (88, 0, 0x0, ...
 02027  1956   NtProtectVirtualMemory  (-1, (0x4cbe000), 4096, 260, ... (0x4cbe000), 4096, 4, ) == 0x0
 02028  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 644, {1292, 1520}, ) == 0x0
 02029  1956   NtQueryInformationThread  (644, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff76000,Pid=1292,Tid=1520,}, 0x0, ) == 0x0
 02030  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58063, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\14\5\0\0\360\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\14\5\0\0\360\5\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58064, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58063, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\14\5\0\0\360\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\2\0\0\14\5\0\0\360\5\0\0" )  ) == 0x0
 02031  1956   NtResumeThread  (644, ... 1, ) == 0x0
 02032  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02033  1520   NtWaitForSingleObject  (88, 0, 0x0, ...
 02032  1956   NtAllocateVirtualMemory  ... 80478208, 1048576, ) == 0x0
 02034  1956   NtAllocateVirtualMemory  (-1, 81518592, 0, 8192, 4096, 4, ... 81518592, 8192, ) == 0x0
 02035  1956   NtProtectVirtualMemory  (-1, (0x4dbe000), 4096, 260, ... (0x4dbe000), 4096, 4, ) == 0x0
 02036  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 648, {1292, 1696}, ) == 0x0
 02037  1956   NtQueryInformationThread  (648, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff75000,Pid=1292,Tid=1696,}, 0x0, ) == 0x0
 02038  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58064, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\14\5\0\0\240\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\14\5\0\0\240\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58065, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58064, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\14\5\0\0\240\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\210\2\0\0\14\5\0\0\240\6\0\0" )  ) == 0x0
 02039  1956   NtResumeThread  (648, ... 1, ) == 0x0
 02040  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 81526784, 1048576, ) == 0x0
 02041  1956   NtAllocateVirtualMemory  (-1, 82567168, 0, 8192, 4096, 4, ... 82567168, 8192, ) == 0x0
 02042  1696   NtWaitForSingleObject  (88, 0, 0x0, ...
 02043  1956   NtProtectVirtualMemory  (-1, (0x4ebe000), 4096, 260, ... (0x4ebe000), 4096, 4, ) == 0x0
 02044  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 652, {1292, 1744}, ) == 0x0
 02045  1956   NtQueryInformationThread  (652, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff74000,Pid=1292,Tid=1744,}, 0x0, ) == 0x0
 02046  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58065, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\14\5\0\0\320\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\14\5\0\0\320\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58066, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58065, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\14\5\0\0\320\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\2\0\0\14\5\0\0\320\6\0\0" )  ) == 0x0
 02047  1956   NtResumeThread  (652, ... 1, ) == 0x0
 02048  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02049  1744   NtWaitForSingleObject  (88, 0, 0x0, ...
 02048  1956   NtAllocateVirtualMemory  ... 82575360, 1048576, ) == 0x0
 02050  1956   NtAllocateVirtualMemory  (-1, 83615744, 0, 8192, 4096, 4, ... 83615744, 8192, ) == 0x0
 02051  1956   NtProtectVirtualMemory  (-1, (0x4fbe000), 4096, 260, ... (0x4fbe000), 4096, 4, ) == 0x0
 02052  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 656, {1292, 1124}, ) == 0x0
 02053  1956   NtQueryInformationThread  (656, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff73000,Pid=1292,Tid=1124,}, 0x0, ) == 0x0
 02054  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58066, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\14\5\0\0d\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\14\5\0\0d\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58067, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58066, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\14\5\0\0d\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\220\2\0\0\14\5\0\0d\4\0\0" )  ) == 0x0
 02055  1956   NtResumeThread  (656, ... 1, ) == 0x0
 02056  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 83623936, 1048576, ) == 0x0
 02057  1956   NtAllocateVirtualMemory  (-1, 84664320, 0, 8192, 4096, 4, ... 84664320, 8192, ) == 0x0
 02058  1124   NtWaitForSingleObject  (88, 0, 0x0, ...
 02059  1956   NtProtectVirtualMemory  (-1, (0x50be000), 4096, 260, ... (0x50be000), 4096, 4, ) == 0x0
 02060  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 660, {1292, 1496}, ) == 0x0
 02061  1956   NtQueryInformationThread  (660, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff72000,Pid=1292,Tid=1496,}, 0x0, ) == 0x0
 02062  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58067, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\14\5\0\0\330\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\14\5\0\0\330\5\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58068, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58067, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\14\5\0\0\330\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\224\2\0\0\14\5\0\0\330\5\0\0" )  ) == 0x0
 02063  1956   NtResumeThread  (660, ... 1, ) == 0x0
 02064  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02065  1496   NtWaitForSingleObject  (88, 0, 0x0, ...
 02064  1956   NtAllocateVirtualMemory  ... 84672512, 1048576, ) == 0x0
 02066  1956   NtAllocateVirtualMemory  (-1, 85712896, 0, 8192, 4096, 4, ... 85712896, 8192, ) == 0x0
 02067  1956   NtProtectVirtualMemory  (-1, (0x51be000), 4096, 260, ... (0x51be000), 4096, 4, ) == 0x0
 02068  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 664, {1292, 168}, ) == 0x0
 02069  1956   NtQueryInformationThread  (664, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff71000,Pid=1292,Tid=168,}, 0x0, ) == 0x0
 02070  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58068, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\14\5\0\0\250\0\0\0" ... {28, 56, reply, 0, 1292, 1956, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\14\5\0\0\250\0\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58069, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58068, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\14\5\0\0\250\0\0\0" ... {28, 56, reply, 0, 1292, 1956, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\230\2\0\0\14\5\0\0\250\0\0\0" )  ) == 0x0
 02071  1956   NtResumeThread  (664, ... 1, ) == 0x0
 02072  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 85721088, 1048576, ) == 0x0
 02073  1956   NtAllocateVirtualMemory  (-1, 86761472, 0, 8192, 4096, 4, ... 86761472, 8192, ) == 0x0
 02074   168   NtWaitForSingleObject  (88, 0, 0x0, ...
 02075  1956   NtProtectVirtualMemory  (-1, (0x52be000), 4096, 260, ... (0x52be000), 4096, 4, ) == 0x0
 02076  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 668, {1292, 1284}, ) == 0x0
 02077  1956   NtQueryInformationThread  (668, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff70000,Pid=1292,Tid=1284,}, 0x0, ) == 0x0
 02078  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58069, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\14\5\0\0\4\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\14\5\0\0\4\5\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58070, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58069, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\14\5\0\0\4\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\2\0\0\14\5\0\0\4\5\0\0" )  ) == 0x0
 02079  1956   NtResumeThread  (668, ... 1, ) == 0x0
 02080  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02081  1284   NtWaitForSingleObject  (88, 0, 0x0, ...
 02080  1956   NtAllocateVirtualMemory  ... 86769664, 1048576, ) == 0x0
 02082  1956   NtAllocateVirtualMemory  (-1, 87810048, 0, 8192, 4096, 4, ... 87810048, 8192, ) == 0x0
 02083  1956   NtProtectVirtualMemory  (-1, (0x53be000), 4096, 260, ... (0x53be000), 4096, 4, ) == 0x0
 02084  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 672, {1292, 1268}, ) == 0x0
 02085  1956   NtQueryInformationThread  (672, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6f000,Pid=1292,Tid=1268,}, 0x0, ) == 0x0
 02086  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58070, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\14\5\0\0\364\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\14\5\0\0\364\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58071, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58070, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\14\5\0\0\364\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\240\2\0\0\14\5\0\0\364\4\0\0" )  ) == 0x0
 02087  1956   NtResumeThread  (672, ... 1, ) == 0x0
 02088  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 87818240, 1048576, ) == 0x0
 02089  1956   NtAllocateVirtualMemory  (-1, 88858624, 0, 8192, 4096, 4, ... 88858624, 8192, ) == 0x0
 02090  1268   NtWaitForSingleObject  (88, 0, 0x0, ...
 02091  1956   NtProtectVirtualMemory  (-1, (0x54be000), 4096, 260, ... (0x54be000), 4096, 4, ) == 0x0
 02092  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 676, {1292, 840}, ) == 0x0
 02093  1956   NtQueryInformationThread  (676, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6e000,Pid=1292,Tid=840,}, 0x0, ) == 0x0
 02094  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58071, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\14\5\0\0H\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\14\5\0\0H\3\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58072, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58071, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\14\5\0\0H\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\244\2\0\0\14\5\0\0H\3\0\0" )  ) == 0x0
 02095  1956   NtResumeThread  (676, ... 1, ) == 0x0
 02096  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02097   840   NtWaitForSingleObject  (88, 0, 0x0, ...
 02096  1956   NtAllocateVirtualMemory  ... 88866816, 1048576, ) == 0x0
 02098  1956   NtAllocateVirtualMemory  (-1, 89907200, 0, 8192, 4096, 4, ... 89907200, 8192, ) == 0x0
 02099  1956   NtProtectVirtualMemory  (-1, (0x55be000), 4096, 260, ... (0x55be000), 4096, 4, ) == 0x0
 02100  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 680, {1292, 1336}, ) == 0x0
 02101  1956   NtQueryInformationThread  (680, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6d000,Pid=1292,Tid=1336,}, 0x0, ) == 0x0
 02102  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58072, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\14\5\0\08\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\14\5\0\08\5\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58073, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58072, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\14\5\0\08\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\2\0\0\14\5\0\08\5\0\0" )  ) == 0x0
 02103  1956   NtResumeThread  (680, ... 1, ) == 0x0
 02104  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 89915392, 1048576, ) == 0x0
 02105  1956   NtAllocateVirtualMemory  (-1, 90955776, 0, 8192, 4096, 4, ... 90955776, 8192, ) == 0x0
 02106  1336   NtWaitForSingleObject  (88, 0, 0x0, ...
 02107  1956   NtProtectVirtualMemory  (-1, (0x56be000), 4096, 260, ... (0x56be000), 4096, 4, ) == 0x0
 02108  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 684, {1292, 1200}, ) == 0x0
 02109  1956   NtQueryInformationThread  (684, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6c000,Pid=1292,Tid=1200,}, 0x0, ) == 0x0
 02110  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58073, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\14\5\0\0\260\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\14\5\0\0\260\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58074, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58073, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\14\5\0\0\260\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\254\2\0\0\14\5\0\0\260\4\0\0" )  ) == 0x0
 02111  1956   NtResumeThread  (684, ... 1, ) == 0x0
 02112  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02113  1200   NtWaitForSingleObject  (88, 0, 0x0, ...
 02112  1956   NtAllocateVirtualMemory  ... 90963968, 1048576, ) == 0x0
 02114  1956   NtAllocateVirtualMemory  (-1, 92004352, 0, 8192, 4096, 4, ... 92004352, 8192, ) == 0x0
 02115  1956   NtProtectVirtualMemory  (-1, (0x57be000), 4096, 260, ... (0x57be000), 4096, 4, ) == 0x0
 02116  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 688, {1292, 1920}, ) == 0x0
 02117  1956   NtQueryInformationThread  (688, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6b000,Pid=1292,Tid=1920,}, 0x0, ) == 0x0
 02118  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58074, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\14\5\0\0\200\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\14\5\0\0\200\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58075, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58074, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\14\5\0\0\200\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\2\0\0\14\5\0\0\200\7\0\0" )  ) == 0x0
 02119  1956   NtResumeThread  (688, ... 1, ) == 0x0
 02120  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 92012544, 1048576, ) == 0x0
 02121  1956   NtAllocateVirtualMemory  (-1, 93052928, 0, 8192, 4096, 4, ... 93052928, 8192, ) == 0x0
 02122  1920   NtWaitForSingleObject  (88, 0, 0x0, ...
 02123  1956   NtProtectVirtualMemory  (-1, (0x58be000), 4096, 260, ... (0x58be000), 4096, 4, ) == 0x0
 02124  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 692, {1292, 896}, ) == 0x0
 02125  1956   NtQueryInformationThread  (692, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff6a000,Pid=1292,Tid=896,}, 0x0, ) == 0x0
 02126  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58075, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\14\5\0\0\200\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\14\5\0\0\200\3\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58076, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58075, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\14\5\0\0\200\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\264\2\0\0\14\5\0\0\200\3\0\0" )  ) == 0x0
 02127  1956   NtResumeThread  (692, ... 1, ) == 0x0
 02128  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02129   896   NtWaitForSingleObject  (88, 0, 0x0, ...
 02128  1956   NtAllocateVirtualMemory  ... 93061120, 1048576, ) == 0x0
 02130  1956   NtAllocateVirtualMemory  (-1, 94101504, 0, 8192, 4096, 4, ... 94101504, 8192, ) == 0x0
 02131  1956   NtProtectVirtualMemory  (-1, (0x59be000), 4096, 260, ... (0x59be000), 4096, 4, ) == 0x0
 02132  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 696, {1292, 2016}, ) == 0x0
 02133  1956   NtQueryInformationThread  (696, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff69000,Pid=1292,Tid=2016,}, 0x0, ) == 0x0
 02134  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58076, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\14\5\0\0\340\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\14\5\0\0\340\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58077, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58076, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\14\5\0\0\340\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\270\2\0\0\14\5\0\0\340\7\0\0" )  ) == 0x0
 02135  1956   NtResumeThread  (696, ... 1, ) == 0x0
 02136  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 94109696, 1048576, ) == 0x0
 02137  1956   NtAllocateVirtualMemory  (-1, 95150080, 0, 8192, 4096, 4, ... 95150080, 8192, ) == 0x0
 02138  2016   NtWaitForSingleObject  (88, 0, 0x0, ...
 02139  1956   NtProtectVirtualMemory  (-1, (0x5abe000), 4096, 260, ... (0x5abe000), 4096, 4, ) == 0x0
 02140  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 700, {1292, 2012}, ) == 0x0
 02141  1956   NtQueryInformationThread  (700, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff68000,Pid=1292,Tid=2012,}, 0x0, ) == 0x0
 02142  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58077, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\14\5\0\0\334\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\14\5\0\0\334\7\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58078, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58077, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\14\5\0\0\334\7\0\0" ... {28, 56, reply, 0, 1292, 1956, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\274\2\0\0\14\5\0\0\334\7\0\0" )  ) == 0x0
 02143  1956   NtResumeThread  (700, ... 1, ) == 0x0
 02144  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02145  2012   NtWaitForSingleObject  (88, 0, 0x0, ...
 02144  1956   NtAllocateVirtualMemory  ... 95158272, 1048576, ) == 0x0
 02146  1956   NtAllocateVirtualMemory  (-1, 96198656, 0, 8192, 4096, 4, ... 96198656, 8192, ) == 0x0
 02147  1956   NtProtectVirtualMemory  (-1, (0x5bbe000), 4096, 260, ... (0x5bbe000), 4096, 4, ) == 0x0
 02148  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 704, {1292, 1604}, ) == 0x0
 02149  1956   NtQueryInformationThread  (704, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff67000,Pid=1292,Tid=1604,}, 0x0, ) == 0x0
 02150  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58078, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\14\5\0\0D\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\14\5\0\0D\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58079, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58078, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\14\5\0\0D\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\2\0\0\14\5\0\0D\6\0\0" )  ) == 0x0
 02151  1956   NtResumeThread  (704, ... 1, ) == 0x0
 02152  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 96206848, 1048576, ) == 0x0
 02153  1956   NtAllocateVirtualMemory  (-1, 97247232, 0, 8192, 4096, 4, ... 97247232, 8192, ) == 0x0
 02154  1604   NtWaitForSingleObject  (88, 0, 0x0, ...
 02155  1956   NtProtectVirtualMemory  (-1, (0x5cbe000), 4096, 260, ... (0x5cbe000), 4096, 4, ) == 0x0
 02156  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 708, {1292, 1572}, ) == 0x0
 02157  1956   NtQueryInformationThread  (708, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff66000,Pid=1292,Tid=1572,}, 0x0, ) == 0x0
 02158  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58079, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\14\5\0\0$\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\14\5\0\0$\6\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58080, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58079, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\14\5\0\0$\6\0\0" ... {28, 56, reply, 0, 1292, 1956, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\304\2\0\0\14\5\0\0$\6\0\0" )  ) == 0x0
 02159  1956   NtResumeThread  (708, ... 1, ) == 0x0
 02160  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02161  1572   NtWaitForSingleObject  (88, 0, 0x0, ...
 02160  1956   NtAllocateVirtualMemory  ... 97255424, 1048576, ) == 0x0
 02162  1956   NtAllocateVirtualMemory  (-1, 98295808, 0, 8192, 4096, 4, ... 98295808, 8192, ) == 0x0
 02163  1956   NtProtectVirtualMemory  (-1, (0x5dbe000), 4096, 260, ... (0x5dbe000), 4096, 4, ) == 0x0
 02164  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 712, {1292, 596}, ) == 0x0
 02165  1956   NtQueryInformationThread  (712, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff65000,Pid=1292,Tid=596,}, 0x0, ) == 0x0
 02166  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58080, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\14\5\0\0T\2\0\0" ... {28, 56, reply, 0, 1292, 1956, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\14\5\0\0T\2\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58081, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58080, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\14\5\0\0T\2\0\0" ... {28, 56, reply, 0, 1292, 1956, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\310\2\0\0\14\5\0\0T\2\0\0" )  ) == 0x0
 02167  1956   NtResumeThread  (712, ... 1, ) == 0x0
 02168  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 98304000, 1048576, ) == 0x0
 02169  1956   NtAllocateVirtualMemory  (-1, 99344384, 0, 8192, 4096, 4, ... 99344384, 8192, ) == 0x0
 02170   596   NtWaitForSingleObject  (88, 0, 0x0, ...
 02171  1956   NtProtectVirtualMemory  (-1, (0x5ebe000), 4096, 260, ... (0x5ebe000), 4096, 4, ) == 0x0
 02172  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 716, {1292, 376}, ) == 0x0
 02173  1956   NtQueryInformationThread  (716, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff64000,Pid=1292,Tid=376,}, 0x0, ) == 0x0
 02174  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58081, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\14\5\0\0x\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\14\5\0\0x\1\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58082, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58081, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\14\5\0\0x\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\314\2\0\0\14\5\0\0x\1\0\0" )  ) == 0x0
 02175  1956   NtResumeThread  (716, ... 1, ) == 0x0
 02176  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02177   376   NtWaitForSingleObject  (88, 0, 0x0, ...
 02176  1956   NtAllocateVirtualMemory  ... 99352576, 1048576, ) == 0x0
 02178  1956   NtAllocateVirtualMemory  (-1, 100392960, 0, 8192, 4096, 4, ... 100392960, 8192, ) == 0x0
 02179  1956   NtProtectVirtualMemory  (-1, (0x5fbe000), 4096, 260, ... (0x5fbe000), 4096, 4, ) == 0x0
 02180  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 720, {1292, 1168}, ) == 0x0
 02181  1956   NtQueryInformationThread  (720, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff63000,Pid=1292,Tid=1168,}, 0x0, ) == 0x0
 02182  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58082, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\14\5\0\0\220\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\14\5\0\0\220\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58083, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58082, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\14\5\0\0\220\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\320\2\0\0\14\5\0\0\220\4\0\0" )  ) == 0x0
 02183  1956   NtResumeThread  (720, ... 1, ) == 0x0
 02184  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 100401152, 1048576, ) == 0x0
 02185  1956   NtAllocateVirtualMemory  (-1, 101441536, 0, 8192, 4096, 4, ... 101441536, 8192, ) == 0x0
 02186  1168   NtWaitForSingleObject  (88, 0, 0x0, ...
 02187  1956   NtProtectVirtualMemory  (-1, (0x60be000), 4096, 260, ... (0x60be000), 4096, 4, ) == 0x0
 02188  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 724, {1292, 428}, ) == 0x0
 02189  1956   NtQueryInformationThread  (724, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff62000,Pid=1292,Tid=428,}, 0x0, ) == 0x0
 02190  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58083, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\14\5\0\0\254\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\14\5\0\0\254\1\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58084, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58083, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\14\5\0\0\254\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\2\0\0\14\5\0\0\254\1\0\0" )  ) == 0x0
 02191  1956   NtResumeThread  (724, ... 1, ) == 0x0
 02192  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02193   428   NtWaitForSingleObject  (88, 0, 0x0, ...
 02192  1956   NtAllocateVirtualMemory  ... 101449728, 1048576, ) == 0x0
 02194  1956   NtAllocateVirtualMemory  (-1, 102490112, 0, 8192, 4096, 4, ... 102490112, 8192, ) == 0x0
 02195  1956   NtProtectVirtualMemory  (-1, (0x61be000), 4096, 260, ... (0x61be000), 4096, 4, ) == 0x0
 02196  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 728, {1292, 1344}, ) == 0x0
 02197  1956   NtQueryInformationThread  (728, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff61000,Pid=1292,Tid=1344,}, 0x0, ) == 0x0
 02198  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58084, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\14\5\0\0@\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\14\5\0\0@\5\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58085, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58084, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\14\5\0\0@\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\330\2\0\0\14\5\0\0@\5\0\0" )  ) == 0x0
 02199  1956   NtResumeThread  (728, ... 1, ) == 0x0
 02200  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 102498304, 1048576, ) == 0x0
 02201  1956   NtAllocateVirtualMemory  (-1, 103538688, 0, 8192, 4096, 4, ... 103538688, 8192, ) == 0x0
 02202  1344   NtWaitForSingleObject  (88, 0, 0x0, ...
 02203  1956   NtProtectVirtualMemory  (-1, (0x62be000), 4096, 260, ... (0x62be000), 4096, 4, ) == 0x0
 02204  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 732, {1292, 1300}, ) == 0x0
 02205  1956   NtQueryInformationThread  (732, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff60000,Pid=1292,Tid=1300,}, 0x0, ) == 0x0
 02206  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58085, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\14\5\0\0\24\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\14\5\0\0\24\5\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58086, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58085, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\14\5\0\0\24\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\2\0\0\14\5\0\0\24\5\0\0" )  ) == 0x0
 02207  1956   NtResumeThread  (732, ... 1, ) == 0x0
 02208  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02209  1300   NtWaitForSingleObject  (88, 0, 0x0, ...
 02208  1956   NtAllocateVirtualMemory  ... 103546880, 1048576, ) == 0x0
 02210  1956   NtAllocateVirtualMemory  (-1, 104587264, 0, 8192, 4096, 4, ... 104587264, 8192, ) == 0x0
 02211  1956   NtProtectVirtualMemory  (-1, (0x63be000), 4096, 260, ... (0x63be000), 4096, 4, ) == 0x0
 02212  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 736, {1292, 1096}, ) == 0x0
 02213  1956   NtQueryInformationThread  (736, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5f000,Pid=1292,Tid=1096,}, 0x0, ) == 0x0
 02214  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58086, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\14\5\0\0H\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\14\5\0\0H\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58087, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58086, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\14\5\0\0H\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\340\2\0\0\14\5\0\0H\4\0\0" )  ) == 0x0
 02215  1956   NtResumeThread  (736, ... 1, ) == 0x0
 02216  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 104595456, 1048576, ) == 0x0
 02217  1956   NtAllocateVirtualMemory  (-1, 105635840, 0, 8192, 4096, 4, ... 105635840, 8192, ) == 0x0
 02218  1096   NtWaitForSingleObject  (88, 0, 0x0, ...
 02219  1956   NtProtectVirtualMemory  (-1, (0x64be000), 4096, 260, ... (0x64be000), 4096, 4, ) == 0x0
 02220  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 740, {1292, 252}, ) == 0x0
 02221  1956   NtQueryInformationThread  (740, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5e000,Pid=1292,Tid=252,}, 0x0, ) == 0x0
 02222  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58087, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\14\5\0\0\374\0\0\0" ... {28, 56, reply, 0, 1292, 1956, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\14\5\0\0\374\0\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58088, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58087, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\14\5\0\0\374\0\0\0" ... {28, 56, reply, 0, 1292, 1956, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\344\2\0\0\14\5\0\0\374\0\0\0" )  ) == 0x0
 02223  1956   NtResumeThread  (740, ... 1, ) == 0x0
 02224  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02225   252   NtWaitForSingleObject  (88, 0, 0x0, ...
 02224  1956   NtAllocateVirtualMemory  ... 105644032, 1048576, ) == 0x0
 02226  1956   NtAllocateVirtualMemory  (-1, 106684416, 0, 8192, 4096, 4, ... 106684416, 8192, ) == 0x0
 02227  1956   NtProtectVirtualMemory  (-1, (0x65be000), 4096, 260, ... (0x65be000), 4096, 4, ) == 0x0
 02228  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 744, {1292, 500}, ) == 0x0
 02229  1956   NtQueryInformationThread  (744, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5d000,Pid=1292,Tid=500,}, 0x0, ) == 0x0
 02230  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58088, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\14\5\0\0\364\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\14\5\0\0\364\1\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58089, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58088, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\14\5\0\0\364\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\2\0\0\14\5\0\0\364\1\0\0" )  ) == 0x0
 02231  1956   NtResumeThread  (744, ... 1, ) == 0x0
 02232  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 106692608, 1048576, ) == 0x0
 02233  1956   NtAllocateVirtualMemory  (-1, 107732992, 0, 8192, 4096, 4, ... 107732992, 8192, ) == 0x0
 02234   500   NtWaitForSingleObject  (88, 0, 0x0, ...
 02235  1956   NtProtectVirtualMemory  (-1, (0x66be000), 4096, 260, ... (0x66be000), 4096, 4, ) == 0x0
 02236  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 748, {1292, 1132}, ) == 0x0
 02237  1956   NtQueryInformationThread  (748, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5c000,Pid=1292,Tid=1132,}, 0x0, ) == 0x0
 02238  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58089, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\14\5\0\0l\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\14\5\0\0l\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58090, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58089, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\14\5\0\0l\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\354\2\0\0\14\5\0\0l\4\0\0" )  ) == 0x0
 02239  1956   NtResumeThread  (748, ... 1, ) == 0x0
 02240  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02241  1132   NtWaitForSingleObject  (88, 0, 0x0, ...
 02240  1956   NtAllocateVirtualMemory  ... 107741184, 1048576, ) == 0x0
 02242  1956   NtAllocateVirtualMemory  (-1, 108781568, 0, 8192, 4096, 4, ... 108781568, 8192, ) == 0x0
 02243  1956   NtProtectVirtualMemory  (-1, (0x67be000), 4096, 260, ... (0x67be000), 4096, 4, ) == 0x0
 02244  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 752, {1292, 1024}, ) == 0x0
 02245  1956   NtQueryInformationThread  (752, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5b000,Pid=1292,Tid=1024,}, 0x0, ) == 0x0
 02246  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58090, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\14\5\0\0\0\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\14\5\0\0\0\4\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58091, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58090, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\14\5\0\0\0\4\0\0" ... {28, 56, reply, 0, 1292, 1956, 58091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\360\2\0\0\14\5\0\0\0\4\0\0" )  ) == 0x0
 02247  1956   NtResumeThread  (752, ... 1, ) == 0x0
 02248  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 108789760, 1048576, ) == 0x0
 02249  1956   NtAllocateVirtualMemory  (-1, 109830144, 0, 8192, 4096, 4, ... 109830144, 8192, ) == 0x0
 02250  1024   NtWaitForSingleObject  (88, 0, 0x0, ...
 02251  1956   NtProtectVirtualMemory  (-1, (0x68be000), 4096, 260, ... (0x68be000), 4096, 4, ) == 0x0
 02252  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 756, {1292, 948}, ) == 0x0
 02253  1956   NtQueryInformationThread  (756, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff5a000,Pid=1292,Tid=948,}, 0x0, ) == 0x0
 02254  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58091, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\14\5\0\0\264\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\14\5\0\0\264\3\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58092, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58091, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\14\5\0\0\264\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\2\0\0\14\5\0\0\264\3\0\0" )  ) == 0x0
 02255  1956   NtResumeThread  (756, ... 1, ) == 0x0
 02256  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02257   948   NtWaitForSingleObject  (88, 0, 0x0, ...
 02256  1956   NtAllocateVirtualMemory  ... 109838336, 1048576, ) == 0x0
 02258  1956   NtAllocateVirtualMemory  (-1, 110878720, 0, 8192, 4096, 4, ... 110878720, 8192, ) == 0x0
 02259  1956   NtProtectVirtualMemory  (-1, (0x69be000), 4096, 260, ... (0x69be000), 4096, 4, ) == 0x0
 02260  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 760, {1292, 1388}, ) == 0x0
 02261  1956   NtQueryInformationThread  (760, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff59000,Pid=1292,Tid=1388,}, 0x0, ) == 0x0
 02262  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58092, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\14\5\0\0l\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\14\5\0\0l\5\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58093, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58092, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\14\5\0\0l\5\0\0" ... {28, 56, reply, 0, 1292, 1956, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\370\2\0\0\14\5\0\0l\5\0\0" )  ) == 0x0
 02263  1956   NtResumeThread  (760, ... 1, ) == 0x0
 02264  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 110886912, 1048576, ) == 0x0
 02265  1956   NtAllocateVirtualMemory  (-1, 111927296, 0, 8192, 4096, 4, ... 111927296, 8192, ) == 0x0
 02266  1388   NtWaitForSingleObject  (88, 0, 0x0, ...
 02267  1956   NtProtectVirtualMemory  (-1, (0x6abe000), 4096, 260, ... (0x6abe000), 4096, 4, ) == 0x0
 02268  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 764, {1292, 520}, ) == 0x0
 02269  1956   NtQueryInformationThread  (764, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff58000,Pid=1292,Tid=520,}, 0x0, ) == 0x0
 02270  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58093, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\14\5\0\0\10\2\0\0" ... {28, 56, reply, 0, 1292, 1956, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\14\5\0\0\10\2\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58094, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58093, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\14\5\0\0\10\2\0\0" ... {28, 56, reply, 0, 1292, 1956, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\374\2\0\0\14\5\0\0\10\2\0\0" )  ) == 0x0
 02271  1956   NtResumeThread  (764, ... 1, ) == 0x0
 02272  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02273   520   NtWaitForSingleObject  (88, 0, 0x0, ...
 02272  1956   NtAllocateVirtualMemory  ... 111935488, 1048576, ) == 0x0
 02274  1956   NtAllocateVirtualMemory  (-1, 112975872, 0, 8192, 4096, 4, ... 112975872, 8192, ) == 0x0
 02275  1956   NtProtectVirtualMemory  (-1, (0x6bbe000), 4096, 260, ... (0x6bbe000), 4096, 4, ) == 0x0
 02276  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 768, {1292, 276}, ) == 0x0
 02277  1956   NtQueryInformationThread  (768, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff57000,Pid=1292,Tid=276,}, 0x0, ) == 0x0
 02278  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58094, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\14\5\0\0\24\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\14\5\0\0\24\1\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58095, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58094, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\14\5\0\0\24\1\0\0" ... {28, 56, reply, 0, 1292, 1956, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\0\3\0\0\14\5\0\0\24\1\0\0" )  ) == 0x0
 02279  1956   NtResumeThread  (768, ... 1, ) == 0x0
 02280  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ... 112984064, 1048576, ) == 0x0
 02281  1956   NtAllocateVirtualMemory  (-1, 114024448, 0, 8192, 4096, 4, ... 114024448, 8192, ) == 0x0
 02282   276   NtWaitForSingleObject  (88, 0, 0x0, ...
 02283  1956   NtProtectVirtualMemory  (-1, (0x6cbe000), 4096, 260, ... (0x6cbe000), 4096, 4, ) == 0x0
 02284  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ... 772, {1292, 996}, ) == 0x0
 02285  1956   NtQueryInformationThread  (772, Basic, 28, ... {ExitStatus=0x103,TebBaseAddress=0x7ff56000,Pid=1292,Tid=996,}, 0x0, ) == 0x0
 02286  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58095, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\14\5\0\0\344\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\14\5\0\0\344\3\0\0" )  ... {28, 56, reply, 0, 1292, 1956, 58096, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58095, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\14\5\0\0\344\3\0\0" ... {28, 56, reply, 0, 1292, 1956, 58096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\4\3\0\0\14\5\0\0\344\3\0\0" )  ) == 0x0
 02287  1956   NtResumeThread  (772, ... 1, ) == 0x0
 02288  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02289  1856   NtQueryPerformanceCounter  (...
 01947  1068   NtRequestWaitReplyPort  ... {44, 68, reply, 0, 1292, 1068, 58055, 0}  ... {44, 68, reply, 0, 1292, 1068, 58055, 0} "\4\31\221|\0\0\221|\200\300\227|p\31\221|\0\276\21\0\330\0\0\0\204-|\2\0\220\366\177\2\0\0\0\0\0\0\0\0\0\0\0" )  ) == 0x0
 02290   996   NtWaitForSingleObject  (88, 0, 0x0, ...
 02289  1856   NtQueryPerformanceCounter  ... {935633201, 10}, {3579545, 0}, ) == 0x0
 02291  1068   NtRaiseException  (11008528, 11007788, 1, ...
 02292  1856   NtSetEventBoostPriority  (88, ...
 02293  1068   NtQueryVirtualMemory  (-1, 0x77ea0470, BasicVlm, 16, ...
 01871   752   NtWaitForSingleObject  ... ) == 0x0
 02292  1856   NtSetEventBoostPriority  ... ) == 0x0
 02288  1956   NtAllocateVirtualMemory  ... 114032640, 1048576, ) == 0x0
 02294   752   NtSetEventBoostPriority  (88, ...
 02295  1856   NtWaitForSingleObject  (88, 0, 0x0, ...
 01891   120   NtWaitForSingleObject  ... ) == 0x0
 02294   752   NtSetEventBoostPriority  ... ) == 0x0
 02296  1956   NtAllocateVirtualMemory  (-1, 115073024, 0, 8192, 4096, 4, ...
 02297   120   NtSetEventBoostPriority  (88, ...
 02293  1068   NtQueryVirtualMemory  ... {memory info, class 3, size 16}, 0x0, ) == 0x0
 01913  1732   NtWaitForSingleObject  ... ) == 0x0
 02297   120   NtSetEventBoostPriority  ... ) == 0x0
 02296  1956   NtAllocateVirtualMemory  ... 115073024, 8192, ) == 0x0
 02298  1732   NtSetEventBoostPriority  (88, ...
 02299  1068   NtQueryVirtualMemory  (-1, 0x77e7a298, Basic, 28, ...
 02300   752   NtTestAlert  (...
 01929   188   NtWaitForSingleObject  ... ) == 0x0
 02298  1732   NtSetEventBoostPriority  ... ) == 0x0
 02301  1956   NtProtectVirtualMemory  (-1, (0x6dbe000), 4096, 260, ...
 02299  1068   NtQueryVirtualMemory  ... {BaseAddress=0x77e7a000,AllocationBase=0x77e70000,AllocationProtect=0x80,RegionSize=0x80000,State=0x1000,Protect=0x20,Type=0x1000000,}, 28, ) == 0x0
 02302   188   NtSetEventBoostPriority  (88, ...
 02300   752   NtTestAlert  ... ) == 0x0
 02303   120   NtTestAlert  (...
 02301  1956   NtProtectVirtualMemory  ... (0x6dbe000), 4096, 4, ) == 0x0
 01955  1636   NtWaitForSingleObject  ... ) == 0x0
 02302   188   NtSetEventBoostPriority  ... ) == 0x0
 02304  1068   NtContinue  (11006756, 0, ...
 02305   752   NtContinue  (66846000, 1, ...
 02303   120   NtTestAlert  ... ) == 0x0
 02306  1636   NtSetEventBoostPriority  (88, ...
 02307  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02308  1732   NtTestAlert  (...
 02309   752   NtRegisterThreadTerminatePort  (24, ...
 01965   624   NtWaitForSingleObject  ... ) == 0x0
 02306  1636   NtSetEventBoostPriority  ... ) == 0x0
 02310   120   NtContinue  (67894576, 1, ...
 02311   188   NtTestAlert  (...
 02308  1732   NtTestAlert  ... ) == 0x0
 02312   624   NtSetEventBoostPriority  (88, ...
 02309   752   NtRegisterThreadTerminatePort  ... ) == 0x0
 02307  1956   NtCreateThread  ... 776, {1292, 1064}, ) == 0x0
 02313   120   NtRegisterThreadTerminatePort  (24, ...
 02311   188   NtTestAlert  ... ) == 0x0
 01978  1948   NtWaitForSingleObject  ... ) == 0x0
 02312   624   NtSetEventBoostPriority  ... ) == 0x0
 02314  1732   NtContinue  (68943152, 1, ...
 02315   752   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02316  1956   NtQueryInformationThread  (776, Basic, 28, ...
 02313   120   NtRegisterThreadTerminatePort  ... ) == 0x0
 02317  1948   NtSetEventBoostPriority  (88, ...
 02318   188   NtContinue  (69991728, 1, ...
 02319  1636   NtTestAlert  (...
 02320  1068   NtDeviceIoControlFile  (416, 112, 0x0, 0x0, 0x1200c, 0x0, 0, 26, ...
 02321  1732   NtRegisterThreadTerminatePort  (24, ...
 02322   624   NtTestAlert  (...
 02316  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff55000,Pid=1292,Tid=1064,}, 0x0, ) == 0x0
 01985   988   NtWaitForSingleObject  ... ) == 0x0
 02317  1948   NtSetEventBoostPriority  ... ) == 0x0
 02323   120   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02324   188   NtRegisterThreadTerminatePort  (24, ...
 02319  1636   NtTestAlert  ... ) == 0x0
 02320  1068   NtDeviceIoControlFile  ... {status=0x0, info=0}, "", ) == 0x103
 02321  1732   NtRegisterThreadTerminatePort  ... ) == 0x0
 02322   624   NtTestAlert  ... ) == 0x0
 02325   988   NtSetEventBoostPriority  (88, ...
 02326  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58096, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58096, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\14\5\0\0(\4\0\0" ...  ...
 02315   752   NtDuplicateObject  ... 780, ) == 0x0
 02327  1948   NtTestAlert  (...
 02324   188   NtRegisterThreadTerminatePort  ... ) == 0x0
 02328  1636   NtContinue  (71040304, 1, ...
 02329  1068   NtWaitForSingleObject  (112, 1, {-5000000, -1}, ...
 02330  1732   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 01994   468   NtWaitForSingleObject  ... ) == 0x0
 02325   988   NtSetEventBoostPriority  ... ) == 0x0
 02331   624   NtContinue  (72088880, 1, ...
 02326  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58097, 0}  ... {28, 56, reply, 0, 1292, 1956, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\3\0\0\14\5\0\0(\4\0\0" )  ) == 0x0
 02332   752   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02327  1948   NtTestAlert  ... ) == 0x0
 02333   188   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02334  1636   NtRegisterThreadTerminatePort  (24, ...
 02323   120   NtDuplicateObject  ... 784, ) == 0x0
 02335   468   NtSetEventBoostPriority  (88, ...
 02330  1732   NtDuplicateObject  ... 788, ) == 0x0
 02336   624   NtRegisterThreadTerminatePort  (24, ...
 02337   988   NtTestAlert  (...
 02332   752   NtWaitForSingleObject  ... ) == 0x102
 02338  1948   NtContinue  (73137456, 1, ...
 02339  1956   NtResumeThread  (776, ...
 02334  1636   NtRegisterThreadTerminatePort  ... ) == 0x0
 02001   380   NtWaitForSingleObject  ... ) == 0x0
 02335   468   NtSetEventBoostPriority  ... ) == 0x0
 02340   120   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02341  1732   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02336   624   NtRegisterThreadTerminatePort  ... ) == 0x0
 02337   988   NtTestAlert  ... ) == 0x0
 02342   752   NtWaitForSingleObject  (136, 0, 0x0, ...
 02343  1948   NtRegisterThreadTerminatePort  (24, ...
 02339  1956   NtResumeThread  ... 1, ) == 0x0
 02344   380   NtSetEventBoostPriority  (88, ...
 02345  1636   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02333   188   NtDuplicateObject  ... 792, ) == 0x0
 02346  1064   NtWaitForSingleObject  (88, 0, 0x0, ...
 02340   120   NtWaitForSingleObject  ... ) == 0x102
 02341  1732   NtWaitForSingleObject  ... ) == 0x102
 02347   624   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02348   988   NtContinue  (74186032, 1, ...
 02343  1948   NtRegisterThreadTerminatePort  ... ) == 0x0
 02010  1692   NtWaitForSingleObject  ... ) == 0x0
 02344   380   NtSetEventBoostPriority  ... ) == 0x0
 02349  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02350   468   NtTestAlert  (...
 02351   188   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02352   120   NtWaitForSingleObject  (136, 0, 0x0, ...
 02353  1732   NtWaitForSingleObject  (136, 0, 0x0, ...
 02345  1636   NtDuplicateObject  ... 796, ) == 0x0
 02354   988   NtRegisterThreadTerminatePort  (24, ...
 02355  1692   NtSetEventBoostPriority  (88, ...
 02356  1948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02347   624   NtDuplicateObject  ... 800, ) == 0x0
 02349  1956   NtAllocateVirtualMemory  ... 115081216, 1048576, ) == 0x0
 02350   468   NtTestAlert  ... ) == 0x0
 02351   188   NtWaitForSingleObject  ... ) == 0x102
 02357  1636   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02017  1792   NtWaitForSingleObject  ... ) == 0x0
 02355  1692   NtSetEventBoostPriority  ... ) == 0x0
 02354   988   NtRegisterThreadTerminatePort  ... ) == 0x0
 02358   380   NtTestAlert  (...
 02359   624   NtAllocateVirtualMemory  (-1, 1404928, 0, 4096, 4096, 4, ...
 02360  1956   NtAllocateVirtualMemory  (-1, 116121600, 0, 8192, 4096, 4, ...
 02361   468   NtContinue  (75234608, 1, ...
 02362   188   NtWaitForSingleObject  (136, 0, 0x0, ...
 02363  1792   NtWaitForSingleObject  (272, 0, 0x0, ...
 02357  1636   NtWaitForSingleObject  ... ) == 0x102
 02356  1948   NtDuplicateObject  ... 804, ) == 0x0
 02364   988   NtWaitForSingleObject  (272, 0, 0x0, ...
 02358   380   NtTestAlert  ... ) == 0x0
 02359   624   NtAllocateVirtualMemory  ... 1404928, 4096, ) == 0x0
 02360  1956   NtAllocateVirtualMemory  ... 116121600, 8192, ) == 0x0
 02365   468   NtRegisterThreadTerminatePort  (24, ...
 02366  1636   NtWaitForSingleObject  (272, 0, 0x0, ...
 02367  1948   NtWaitForSingleObject  (272, 0, 0x0, ...
 02368  1692   NtTestAlert  (...
 02369   380   NtContinue  (76283184, 1, ...
 02370   624   NtSetEventBoostPriority  (272, ...
 02365   468   NtRegisterThreadTerminatePort  ... ) == 0x0
 02368  1692   NtTestAlert  ... ) == 0x0
 02371   380   NtRegisterThreadTerminatePort  (24, ...
 02363  1792   NtWaitForSingleObject  ... ) == 0x0
 02370   624   NtSetEventBoostPriority  ... ) == 0x0
 02372   468   NtWaitForSingleObject  (272, 0, 0x0, ...
 02373  1692   NtContinue  (77331760, 1, ...
 02374  1792   NtSetEventBoostPriority  (272, ...
 02371   380   NtRegisterThreadTerminatePort  ... ) == 0x0
 02375   624   NtWaitForSingleObject  (272, 0, 0x0, ...
 02376  1956   NtProtectVirtualMemory  (-1, (0x6ebe000), 4096, 260, ...
 02364   988   NtWaitForSingleObject  ... ) == 0x0
 02374  1792   NtSetEventBoostPriority  ... ) == 0x0
 02377  1692   NtRegisterThreadTerminatePort  (24, ...
 02378   380   NtWaitForSingleObject  (272, 0, 0x0, ...
 02379   988   NtSetEventBoostPriority  (272, ...
 02376  1956   NtProtectVirtualMemory  ... (0x6ebe000), 4096, 4, ) == 0x0
 02377  1692   NtRegisterThreadTerminatePort  ... ) == 0x0
 02380  1792   NtSetEventBoostPriority  (88, ...
 02366  1636   NtWaitForSingleObject  ... ) == 0x0
 02381  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02382  1692   NtWaitForSingleObject  (272, 0, 0x0, ...
 02026   784   NtWaitForSingleObject  ... ) == 0x0
 02380  1792   NtSetEventBoostPriority  ... ) == 0x0
 02383  1636   NtSetEventBoostPriority  (272, ...
 02381  1956   NtCreateThread  ... 808, {1292, 1600}, ) == 0x0
 02379   988   NtSetEventBoostPriority  ... ) == 0x0
 02384   784   NtWaitForSingleObject  (272, 0, 0x0, ...
 02385  1792   NtTestAlert  (...
 02367  1948   NtWaitForSingleObject  ... ) == 0x0
 02383  1636   NtSetEventBoostPriority  ... ) == 0x0
 02386  1956   NtQueryInformationThread  (808, Basic, 28, ...
 02387   988   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02388  1948   NtSetEventBoostPriority  (272, ...
 02385  1792   NtTestAlert  ... ) == 0x0
 02386  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff54000,Pid=1292,Tid=1600,}, 0x0, ) == 0x0
 02372   468   NtWaitForSingleObject  ... ) == 0x0
 02388  1948   NtSetEventBoostPriority  ... ) == 0x0
 02387   988   NtDuplicateObject  ... 812, ) == 0x0
 02389  1792   NtContinue  (78380336, 1, ...
 02390  1636   NtWaitForSingleObject  (136, 0, 0x0, ...
 02391   468   NtSetEventBoostPriority  (272, ...
 02392  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58097, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58097, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\14\5\0\0@\6\0\0" ...  ...
 02393  1948   NtWaitForSingleObject  (272, 0, 0x0, ...
 02394  1792   NtRegisterThreadTerminatePort  (24, ...
 02375   624   NtWaitForSingleObject  ... ) == 0x0
 02392  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58098, 0}  ... {28, 56, reply, 0, 1292, 1956, 58098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG(\3\0\0\14\5\0\0@\6\0\0" )  ) == 0x0
 02391   468   NtSetEventBoostPriority  ... ) == 0x0
 02395   988   NtWaitForSingleObject  (272, 0, 0x0, ...
 02396   624   NtSetEventBoostPriority  (272, ...
 02397  1956   NtResumeThread  (808, ...
 02398   468   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02378   380   NtWaitForSingleObject  ... ) == 0x0
 02397  1956   NtResumeThread  ... 1, ) == 0x0
 02398   468   NtDuplicateObject  ... 816, ) == 0x0
 02399   380   NtSetEventBoostPriority  (272, ...
 02400  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02396   624   NtSetEventBoostPriority  ... ) == 0x0
 02394  1792   NtRegisterThreadTerminatePort  ... ) == 0x0
 02401  1600   NtWaitForSingleObject  (88, 0, 0x0, ...
 02384   784   NtWaitForSingleObject  ... ) == 0x0
 02399   380   NtSetEventBoostPriority  ... ) == 0x0
 02402   468   NtWaitForSingleObject  (272, 0, 0x0, ...
 02403   624   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02404  1792   NtWaitForSingleObject  (272, 0, 0x0, ...
 02405   784   NtSetEventBoostPriority  (272, ...
 02406   380   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02382  1692   NtWaitForSingleObject  ... ) == 0x0
 02405   784   NtSetEventBoostPriority  ... ) == 0x0
 02407  1692   NtSetEventBoostPriority  (272, ...
 02406   380   NtDuplicateObject  ... 820, ) == 0x0
 02400  1956   NtAllocateVirtualMemory  ... 116129792, 1048576, ) == 0x0
 02403   624   NtWaitForSingleObject  ... ) == 0x102
 02393  1948   NtWaitForSingleObject  ... ) == 0x0
 02407  1692   NtSetEventBoostPriority  ... ) == 0x0
 02408   784   NtSetEventBoostPriority  (88, ...
 02409  1956   NtAllocateVirtualMemory  (-1, 117170176, 0, 8192, 4096, 4, ...
 02410   624   NtWaitForSingleObject  (272, 0, 0x0, ...
 02411  1948   NtSetEventBoostPriority  (272, ...
 02412  1692   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02033  1520   NtWaitForSingleObject  ... ) == 0x0
 02408   784   NtSetEventBoostPriority  ... ) == 0x0
 02409  1956   NtAllocateVirtualMemory  ... 117170176, 8192, ) == 0x0
 02395   988   NtWaitForSingleObject  ... ) == 0x0
 02411  1948   NtSetEventBoostPriority  ... ) == 0x0
 02413  1520   NtWaitForSingleObject  (272, 0, 0x0, ...
 02412  1692   NtDuplicateObject  ... 824, ) == 0x0
 02414   784   NtTestAlert  (...
 02415   988   NtSetEventBoostPriority  (272, ...
 02416  1956   NtProtectVirtualMemory  (-1, (0x6fbe000), 4096, 260, ...
 02417  1948   NtWaitForSingleObject  (272, 0, 0x0, ...
 02418   380   NtWaitForSingleObject  (272, 0, 0x0, ...
 02402   468   NtWaitForSingleObject  ... ) == 0x0
 02415   988   NtSetEventBoostPriority  ... ) == 0x0
 02414   784   NtTestAlert  ... ) == 0x0
 02416  1956   NtProtectVirtualMemory  ... (0x6fbe000), 4096, 4, ) == 0x0
 02419  1692   NtWaitForSingleObject  (272, 0, 0x0, ...
 02420   468   NtSetEventBoostPriority  (272, ...
 02421   988   NtWaitForSingleObject  (272, 0, 0x0, ...
 02422   784   NtContinue  (79428912, 1, ...
 02423  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02404  1792   NtWaitForSingleObject  ... ) == 0x0
 02420   468   NtSetEventBoostPriority  ... ) == 0x0
 02424   784   NtRegisterThreadTerminatePort  (24, ...
 02425  1792   NtSetEventBoostPriority  (272, ...
 02426   468   NtWaitForSingleObject  (272, 0, 0x0, ...
 02423  1956   NtCreateThread  ... 828, {1292, 1372}, ) == 0x0
 02410   624   NtWaitForSingleObject  ... ) == 0x0
 02425  1792   NtSetEventBoostPriority  ... ) == 0x0
 02424   784   NtRegisterThreadTerminatePort  ... ) == 0x0
 02427   624   NtSetEventBoostPriority  (272, ...
 02428  1956   NtQueryInformationThread  (828, Basic, 28, ...
 02413  1520   NtWaitForSingleObject  ... ) == 0x0
 02427   624   NtSetEventBoostPriority  ... ) == 0x0
 02429   784   NtWaitForSingleObject  (272, 0, 0x0, ...
 02430  1520   NtSetEventBoostPriority  (272, ...
 02428  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff53000,Pid=1292,Tid=1372,}, 0x0, ) == 0x0
 02431  1792   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02418   380   NtWaitForSingleObject  ... ) == 0x0
 02430  1520   NtSetEventBoostPriority  ... ) == 0x0
 02432  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58098, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58098, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\14\5\0\0\\5\0\0" ...  ...
 02433   380   NtSetEventBoostPriority  (272, ...
 02431  1792   NtDuplicateObject  ... 832, ) == 0x0
 02434   624   NtWaitForSingleObject  (136, 0, 0x0, ...
 02419  1692   NtWaitForSingleObject  ... ) == 0x0
 02433   380   NtSetEventBoostPriority  ... ) == 0x0
 02432  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58099, 0}  ... {28, 56, reply, 0, 1292, 1956, 58099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG<\3\0\0\14\5\0\0\\5\0\0" )  ) == 0x0
 02435  1792   NtWaitForSingleObject  (272, 0, 0x0, ...
 02436  1692   NtSetEventBoostPriority  (272, ...
 02437   380   NtWaitForSingleObject  (272, 0, 0x0, ...
 02438  1520   NtSetEventBoostPriority  (88, ...
 02417  1948   NtWaitForSingleObject  ... ) == 0x0
 02436  1692   NtSetEventBoostPriority  ... ) == 0x0
 02439  1956   NtResumeThread  (828, ...
 02440  1948   NtSetEventBoostPriority  (272, ...
 02042  1696   NtWaitForSingleObject  ... ) == 0x0
 02438  1520   NtSetEventBoostPriority  ... ) == 0x0
 02441  1692   NtWaitForSingleObject  (272, 0, 0x0, ...
 02421   988   NtWaitForSingleObject  ... ) == 0x0
 02442  1696   NtWaitForSingleObject  (272, 0, 0x0, ...
 02439  1956   NtResumeThread  ... 1, ) == 0x0
 02443  1520   NtTestAlert  (...
 02440  1948   NtSetEventBoostPriority  ... ) == 0x0
 02444  1372   NtWaitForSingleObject  (88, 0, 0x0, ...
 02445   988   NtSetEventBoostPriority  (272, ...
 02446  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02443  1520   NtTestAlert  ... ) == 0x0
 02447  1948   NtWaitForSingleObject  (272, 0, 0x0, ...
 02426   468   NtWaitForSingleObject  ... ) == 0x0
 02446  1956   NtAllocateVirtualMemory  ... 117178368, 1048576, ) == 0x0
 02448  1520   NtContinue  (80477488, 1, ...
 02449   468   NtSetEventBoostPriority  (272, ...
 02450  1956   NtAllocateVirtualMemory  (-1, 118218752, 0, 8192, 4096, 4, ...
 02451  1520   NtRegisterThreadTerminatePort  (24, ...
 02429   784   NtWaitForSingleObject  ... ) == 0x0
 02450  1956   NtAllocateVirtualMemory  ... 118218752, 8192, ) == 0x0
 02449   468   NtSetEventBoostPriority  ... ) == 0x0
 02445   988   NtSetEventBoostPriority  ... ) == 0x0
 02452   784   NtSetEventBoostPriority  (272, ...
 02451  1520   NtRegisterThreadTerminatePort  ... ) == 0x0
 02453   468   NtWaitForSingleObject  (272, 0, 0x0, ...
 02454   988   NtWaitForSingleObject  (272, 0, 0x0, ...
 02435  1792   NtWaitForSingleObject  ... ) == 0x0
 02452   784   NtSetEventBoostPriority  ... ) == 0x0
 02455  1520   NtWaitForSingleObject  (272, 0, 0x0, ...
 02456  1792   NtSetEventBoostPriority  (272, ...
 02457  1956   NtProtectVirtualMemory  (-1, (0x70be000), 4096, 260, ...
 02437   380   NtWaitForSingleObject  ... ) == 0x0
 02456  1792   NtSetEventBoostPriority  ... ) == 0x0
 02458   380   NtSetEventBoostPriority  (272, ...
 02457  1956   NtProtectVirtualMemory  ... (0x70be000), 4096, 4, ) == 0x0
 02459   784   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02442  1696   NtWaitForSingleObject  ... ) == 0x0
 02460  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02461  1696   NtSetEventBoostPriority  (272, ...
 02459   784   NtDuplicateObject  ... 836, ) == 0x0
 02447  1948   NtWaitForSingleObject  ... ) == 0x0
 02461  1696   NtSetEventBoostPriority  ... ) == 0x0
 02460  1956   NtCreateThread  ... 840, {1292, 2040}, ) == 0x0
 02462  1948   NtSetEventBoostPriority  (272, ...
 02463   784   NtWaitForSingleObject  (272, 0, 0x0, ...
 02458   380   NtSetEventBoostPriority  ... ) == 0x0
 02464  1792   NtWaitForSingleObject  (272, 0, 0x0, ...
 02441  1692   NtWaitForSingleObject  ... ) == 0x0
 02462  1948   NtSetEventBoostPriority  ... ) == 0x0
 02465  1956   NtQueryInformationThread  (840, Basic, 28, ...
 02466   380   NtWaitForSingleObject  (324, 0, 0x0, ...
 02467  1692   NtSetEventBoostPriority  (272, ...
 02468  1696   NtSetEventBoostPriority  (88, ...
 02465  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff52000,Pid=1292,Tid=2040,}, 0x0, ) == 0x0
 02453   468   NtWaitForSingleObject  ... ) == 0x0
 02049  1744   NtWaitForSingleObject  ... ) == 0x0
 02468  1696   NtSetEventBoostPriority  ... ) == 0x0
 02467  1692   NtSetEventBoostPriority  ... ) == 0x0
 02469  1948   NtSetEventBoostPriority  (324, ...
 02470  1744   NtWaitForSingleObject  (272, 0, 0x0, ...
 02471   468   NtSetEventBoostPriority  (272, ...
 02472  1696   NtTestAlert  (...
 02473  1692   NtWaitForSingleObject  (324, 0, 0x0, ...
 02466   380   NtWaitForSingleObject  ... ) == 0x0
 02469  1948   NtSetEventBoostPriority  ... ) == 0x0
 02454   988   NtWaitForSingleObject  ... ) == 0x0
 02471   468   NtSetEventBoostPriority  ... ) == 0x0
 02472  1696   NtTestAlert  ... ) == 0x0
 02474   380   NtWaitForSingleObject  (272, 0, 0x0, ...
 02475   988   NtSetEventBoostPriority  (272, ...
 02476  1948   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02477  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58099, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58099, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\14\5\0\0\370\7\0\0" ...  ...
 02455  1520   NtWaitForSingleObject  ... ) == 0x0
 02475   988   NtSetEventBoostPriority  ... ) == 0x0
 02478  1696   NtContinue  (81526064, 1, ...
 02476  1948   NtWaitForSingleObject  ... ) == 0x102
 02479  1520   NtSetEventBoostPriority  (272, ...
 02477  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58100, 0}  ... {28, 56, reply, 0, 1292, 1956, 58100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGH\3\0\0\14\5\0\0\370\7\0\0" )  ) == 0x0
 02480   468   NtWaitForSingleObject  (324, 0, 0x0, ...
 02481  1696   NtRegisterThreadTerminatePort  (24, ...
 02463   784   NtWaitForSingleObject  ... ) == 0x0
 02479  1520   NtSetEventBoostPriority  ... ) == 0x0
 02482  1948   NtWaitForSingleObject  (136, 0, 0x0, ...
 02483  1956   NtResumeThread  (840, ...
 02484   988   NtWaitForSingleObject  (324, 0, 0x0, ...
 02485   784   NtSetEventBoostPriority  (272, ...
 02481  1696   NtRegisterThreadTerminatePort  ... ) == 0x0
 02486  1520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02483  1956   NtResumeThread  ... 1, ) == 0x0
 02464  1792   NtWaitForSingleObject  ... ) == 0x0
 02485   784   NtSetEventBoostPriority  ... ) == 0x0
 02487  1696   NtWaitForSingleObject  (272, 0, 0x0, ...
 02486  1520   NtDuplicateObject  ... 844, ) == 0x0
 02488  1792   NtSetEventBoostPriority  (272, ...
 02489  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02490  2040   NtWaitForSingleObject  (88, 0, 0x0, ...
 02470  1744   NtWaitForSingleObject  ... ) == 0x0
 02488  1792   NtSetEventBoostPriority  ... ) == 0x0
 02491  1520   NtWaitForSingleObject  (272, 0, 0x0, ...
 02492   784   NtWaitForSingleObject  (324, 0, 0x0, ...
 02493  1744   NtSetEventBoostPriority  (272, ...
 02494  1792   NtWaitForSingleObject  (324, 0, 0x0, ...
 02474   380   NtWaitForSingleObject  ... ) == 0x0
 02493  1744   NtSetEventBoostPriority  ... ) == 0x0
 02489  1956   NtAllocateVirtualMemory  ... 118226944, 1048576, ) == 0x0
 02495   380   NtSetEventBoostPriority  (272, ...
 02487  1696   NtWaitForSingleObject  ... ) == 0x0
 02496  1696   NtSetEventBoostPriority  (272, ...
 02491  1520   NtWaitForSingleObject  ... ) == 0x0
 02497  1520   NtWaitForSingleObject  (324, 0, 0x0, ...
 02496  1696   NtSetEventBoostPriority  ... ) == 0x0
 02495   380   NtSetEventBoostPriority  ... ) == 0x0
 02498  1956   NtAllocateVirtualMemory  (-1, 119267328, 0, 8192, 4096, 4, ...
 02499  1744   NtSetEventBoostPriority  (88, ...
 02500  1696   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02498  1956   NtAllocateVirtualMemory  ... 119267328, 8192, ) == 0x0
 02058  1124   NtWaitForSingleObject  ... ) == 0x0
 02499  1744   NtSetEventBoostPriority  ... ) == 0x0
 02500  1696   NtDuplicateObject  ... 848, ) == 0x0
 02501  1124   NtSetEventBoostPriority  (88, ...
 02502  1956   NtProtectVirtualMemory  (-1, (0x71be000), 4096, 260, ...
 02503  1744   NtTestAlert  (...
 02065  1496   NtWaitForSingleObject  ... ) == 0x0
 02501  1124   NtSetEventBoostPriority  ... ) == 0x0
 02504  1696   NtWaitForSingleObject  (324, 0, 0x0, ...
 02502  1956   NtProtectVirtualMemory  ... (0x71be000), 4096, 4, ) == 0x0
 02505  1496   NtSetEventBoostPriority  (88, ...
 02503  1744   NtTestAlert  ... ) == 0x0
 02506   380   NtSetEventBoostPriority  (324, ...
 02074   168   NtWaitForSingleObject  ... ) == 0x0
 02505  1496   NtSetEventBoostPriority  ... ) == 0x0
 02507  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02508  1744   NtContinue  (82574640, 1, ...
 02509   168   NtSetEventBoostPriority  (88, ...
 02473  1692   NtWaitForSingleObject  ... ) == 0x0
 02506   380   NtSetEventBoostPriority  ... ) == 0x0
 02510  1124   NtTestAlert  (...
 02511  1496   NtTestAlert  (...
 02081  1284   NtWaitForSingleObject  ... ) == 0x0
 02512  1692   NtSetEventBoostPriority  (324, ...
 02509   168   NtSetEventBoostPriority  ... ) == 0x0
 02513  1744   NtRegisterThreadTerminatePort  (24, ...
 02514   380   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02510  1124   NtTestAlert  ... ) == 0x0
 02515  1284   NtSetEventBoostPriority  (88, ...
 02480   468   NtWaitForSingleObject  ... ) == 0x0
 02512  1692   NtSetEventBoostPriority  ... ) == 0x0
 02511  1496   NtTestAlert  ... ) == 0x0
 02507  1956   NtCreateThread  ... 852, {1292, 216}, ) == 0x0
 02516   168   NtTestAlert  (...
 02514   380   NtWaitForSingleObject  ... ) == 0x102
 02090  1268   NtWaitForSingleObject  ... ) == 0x0
 02517   468   NtSetEventBoostPriority  (324, ...
 02515  1284   NtSetEventBoostPriority  ... ) == 0x0
 02518  1124   NtContinue  (83623216, 1, ...
 02513  1744   NtRegisterThreadTerminatePort  ... ) == 0x0
 02519  1496   NtContinue  (84671792, 1, ...
 02520  1956   NtQueryInformationThread  (852, Basic, 28, ...
 02516   168   NtTestAlert  ... ) == 0x0
 02521  1268   NtSetEventBoostPriority  (88, ...
 02484   988   NtWaitForSingleObject  ... ) == 0x0
 02517   468   NtSetEventBoostPriority  ... ) == 0x0
 02522   380   NtWaitForSingleObject  (136, 0, 0x0, ...
 02523  1692   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02524  1124   NtRegisterThreadTerminatePort  (24, ...
 02525  1744   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02526  1496   NtRegisterThreadTerminatePort  (24, ...
 02520  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff51000,Pid=1292,Tid=216,}, 0x0, ) == 0x0
 02097   840   NtWaitForSingleObject  ... ) == 0x0
 02527   988   NtSetEventBoostPriority  (324, ...
 02521  1268   NtSetEventBoostPriority  ... ) == 0x0
 02528   168   NtContinue  (85720368, 1, ...
 02529   468   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02530  1284   NtTestAlert  (...
 02523  1692   NtWaitForSingleObject  ... ) == 0x102
 02524  1124   NtRegisterThreadTerminatePort  ... ) == 0x0
 02525  1744   NtDuplicateObject  ... 856, ) == 0x0
 02526  1496   NtRegisterThreadTerminatePort  ... ) == 0x0
 02531   840   NtSetEventBoostPriority  (88, ...
 02492   784   NtWaitForSingleObject  ... ) == 0x0
 02527   988   NtSetEventBoostPriority  ... ) == 0x0
 02532  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58100, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58100, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\14\5\0\0\330\0\0\0" ...  ...
 02533   168   NtRegisterThreadTerminatePort  (24, ...
 02534  1268   NtTestAlert  (...
 02530  1284   NtTestAlert  ... ) == 0x0
 02535  1692   NtWaitForSingleObject  (136, 0, 0x0, ...
 02536  1124   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02537  1744   NtAllocateVirtualMemory  (-1, 1409024, 0, 4096, 4096, 4, ...
 02106  1336   NtWaitForSingleObject  ... ) == 0x0
 02538   784   NtWaitForSingleObject  (272, 0, 0x0, ...
 02531   840   NtSetEventBoostPriority  ... ) == 0x0
 02539  1496   NtWaitForSingleObject  (272, 0, 0x0, ...
 02540   988   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02533   168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02534  1268   NtTestAlert  ... ) == 0x0
 02541  1284   NtContinue  (86768944, 1, ...
 02529   468   NtWaitForSingleObject  ... ) == 0x102
 02532  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58101, 0}  ... {28, 56, reply, 0, 1292, 1956, 58101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGT\3\0\0\14\5\0\0\330\0\0\0" )  ) == 0x0
 02542  1336   NtWaitForSingleObject  (272, 0, 0x0, ...
 02537  1744   NtAllocateVirtualMemory  ... 1409024, 4096, ) == 0x0
 02536  1124   NtDuplicateObject  ... 860, ) == 0x0
 02543   840   NtTestAlert  (...
 02544   168   NtWaitForSingleObject  (272, 0, 0x0, ...
 02545  1268   NtContinue  (87817520, 1, ...
 02546  1284   NtRegisterThreadTerminatePort  (24, ...
 02547   468   NtWaitForSingleObject  (272, 0, 0x0, ...
 02548  1956   NtResumeThread  (852, ...
 02549  1744   NtSetEventBoostPriority  (272, ...
 02550  1124   NtWaitForSingleObject  (272, 0, 0x0, ...
 02543   840   NtTestAlert  ... ) == 0x0
 02540   988   NtWaitForSingleObject  ... ) == 0x102
 02551  1268   NtRegisterThreadTerminatePort  (24, ...
 02546  1284   NtRegisterThreadTerminatePort  ... ) == 0x0
 02548  1956   NtResumeThread  ... 1, ) == 0x0
 02552   840   NtContinue  (88866096, 1, ...
 02553   988   NtWaitForSingleObject  (272, 0, 0x0, ...
 02551  1268   NtRegisterThreadTerminatePort  ... ) == 0x0
 02554  1284   NtWaitForSingleObject  (272, 0, 0x0, ...
 02555  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02556   840   NtRegisterThreadTerminatePort  (24, ...
 02557  1268   NtWaitForSingleObject  (272, 0, 0x0, ...
 02538   784   NtWaitForSingleObject  ... ) == 0x0
 02549  1744   NtSetEventBoostPriority  ... ) == 0x0
 02558   216   NtWaitForSingleObject  (88, 0, 0x0, ...
 02555  1956   NtAllocateVirtualMemory  ... 119275520, 1048576, ) == 0x0
 02556   840   NtRegisterThreadTerminatePort  ... ) == 0x0
 02559   784   NtSetEventBoostPriority  (272, ...
 02560  1744   NtWaitForSingleObject  (324, 0, 0x0, ...
 02539  1496   NtWaitForSingleObject  ... ) == 0x0
 02559   784   NtSetEventBoostPriority  ... ) == 0x0
 02561   840   NtWaitForSingleObject  (272, 0, 0x0, ...
 02562  1496   NtSetEventBoostPriority  (272, ...
 02563  1956   NtAllocateVirtualMemory  (-1, 120315904, 0, 8192, 4096, 4, ...
 02564   784   NtSetEventBoostPriority  (324, ...
 02542  1336   NtWaitForSingleObject  ... ) == 0x0
 02563  1956   NtAllocateVirtualMemory  ... 120315904, 8192, ) == 0x0
 02565  1336   NtSetEventBoostPriority  (272, ...
 02494  1792   NtWaitForSingleObject  ... ) == 0x0
 02564   784   NtSetEventBoostPriority  ... ) == 0x0
 02547   468   NtWaitForSingleObject  ... ) == 0x0
 02566  1792   NtWaitForSingleObject  (272, 0, 0x0, ...
 02565  1336   NtSetEventBoostPriority  ... ) == 0x0
 02567  1956   NtProtectVirtualMemory  (-1, (0x72be000), 4096, 260, ...
 02568   468   NtSetEventBoostPriority  (272, ...
 02569   784   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02562  1496   NtSetEventBoostPriority  ... ) == 0x0
 02544   168   NtWaitForSingleObject  ... ) == 0x0
 02568   468   NtSetEventBoostPriority  ... ) == 0x0
 02567  1956   NtProtectVirtualMemory  ... (0x72be000), 4096, 4, ) == 0x0
 02569   784   NtWaitForSingleObject  ... ) == 0x102
 02570   168   NtSetEventBoostPriority  (272, ...
 02571  1496   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02572  1336   NtSetEventBoostPriority  (88, ...
 02573  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02550  1124   NtWaitForSingleObject  ... ) == 0x0
 02574   784   NtWaitForSingleObject  (272, 0, 0x0, ...
 02571  1496   NtDuplicateObject  ... 864, ) == 0x0
 02113  1200   NtWaitForSingleObject  ... ) == 0x0
 02572  1336   NtSetEventBoostPriority  ... ) == 0x0
 02573  1956   NtCreateThread  ... 868, {1292, 152}, ) == 0x0
 02575  1124   NtSetEventBoostPriority  (272, ...
 02570   168   NtSetEventBoostPriority  ... ) == 0x0
 02576   468   NtWaitForSingleObject  (136, 0, 0x0, ...
 02577  1200   NtWaitForSingleObject  (272, 0, 0x0, ...
 02578  1336   NtTestAlert  (...
 02579  1496   NtWaitForSingleObject  (272, 0, 0x0, ...
 02553   988   NtWaitForSingleObject  ... ) == 0x0
 02575  1124   NtSetEventBoostPriority  ... ) == 0x0
 02580   168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02578  1336   NtTestAlert  ... ) == 0x0
 02581   988   NtSetEventBoostPriority  (272, ...
 02582  1956   NtQueryInformationThread  (868, Basic, 28, ...
 02580   168   NtDuplicateObject  ... 872, ) == 0x0
 02554  1284   NtWaitForSingleObject  ... ) == 0x0
 02581   988   NtSetEventBoostPriority  ... ) == 0x0
 02583  1336   NtContinue  (89914672, 1, ...
 02582  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff50000,Pid=1292,Tid=152,}, 0x0, ) == 0x0
 02584  1124   NtWaitForSingleObject  (272, 0, 0x0, ...
 02585  1284   NtSetEventBoostPriority  (272, ...
 02586   168   NtWaitForSingleObject  (272, 0, 0x0, ...
 02587  1336   NtRegisterThreadTerminatePort  (24, ...
 02588  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58101, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58101, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\14\5\0\0\230\0\0\0" ...  ...
 02557  1268   NtWaitForSingleObject  ... ) == 0x0
 02585  1284   NtSetEventBoostPriority  ... ) == 0x0
 02589   988   NtWaitForSingleObject  (136, 0, 0x0, ...
 02588  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58102, 0}  ... {28, 56, reply, 0, 1292, 1956, 58102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGd\3\0\0\14\5\0\0\230\0\0\0" )  ) == 0x0
 02590  1268   NtSetEventBoostPriority  (272, ...
 02591  1284   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02592  1956   NtResumeThread  (868, ...
 02566  1792   NtWaitForSingleObject  ... ) == 0x0
 02591  1284   NtDuplicateObject  ... 876, ) == 0x0
 02590  1268   NtSetEventBoostPriority  ... ) == 0x0
 02587  1336   NtRegisterThreadTerminatePort  ... ) == 0x0
 02593  1792   NtSetEventBoostPriority  (272, ...
 02592  1956   NtResumeThread  ... 1, ) == 0x0
 02594  1268   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02561   840   NtWaitForSingleObject  ... ) == 0x0
 02595  1336   NtWaitForSingleObject  (272, 0, 0x0, ...
 02596  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02594  1268   NtDuplicateObject  ... 880, ) == 0x0
 02597   840   NtSetEventBoostPriority  (272, ...
 02596  1956   NtAllocateVirtualMemory  ... 120324096, 1048576, ) == 0x0
 02593  1792   NtSetEventBoostPriority  ... ) == 0x0
 02598  1284   NtWaitForSingleObject  (272, 0, 0x0, ...
 02599   152   NtWaitForSingleObject  (88, 0, 0x0, ...
 02574   784   NtWaitForSingleObject  ... ) == 0x0
 02600  1956   NtAllocateVirtualMemory  (-1, 121364480, 0, 8192, 4096, 4, ...
 02597   840   NtSetEventBoostPriority  ... ) == 0x0
 02601  1268   NtWaitForSingleObject  (272, 0, 0x0, ...
 02602   784   NtSetEventBoostPriority  (272, ...
 02600  1956   NtAllocateVirtualMemory  ... 121364480, 8192, ) == 0x0
 02603   840   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02577  1200   NtWaitForSingleObject  ... ) == 0x0
 02604  1956   NtProtectVirtualMemory  (-1, (0x73be000), 4096, 260, ...
 02605  1200   NtSetEventBoostPriority  (272, ...
 02603   840   NtDuplicateObject  ... 884, ) == 0x0
 02602   784   NtSetEventBoostPriority  ... ) == 0x0
 02606  1792   NtSetEventBoostPriority  (324, ...
 02579  1496   NtWaitForSingleObject  ... ) == 0x0
 02605  1200   NtSetEventBoostPriority  ... ) == 0x0
 02604  1956   NtProtectVirtualMemory  ... (0x73be000), 4096, 4, ) == 0x0
 02607   784   NtWaitForSingleObject  (136, 0, 0x0, ...
 02608  1496   NtSetEventBoostPriority  (272, ...
 02497  1520   NtWaitForSingleObject  ... ) == 0x0
 02606  1792   NtSetEventBoostPriority  ... ) == 0x0
 02609   840   NtWaitForSingleObject  (272, 0, 0x0, ...
 02610  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02584  1124   NtWaitForSingleObject  ... ) == 0x0
 02611  1520   NtWaitForSingleObject  (272, 0, 0x0, ...
 02608  1496   NtSetEventBoostPriority  ... ) == 0x0
 02612  1792   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02613  1124   NtSetEventBoostPriority  (272, ...
 02610  1956   NtCreateThread  ... 888, {1292, 900}, ) == 0x0
 02614  1496   NtWaitForSingleObject  (272, 0, 0x0, ...
 02586   168   NtWaitForSingleObject  ... ) == 0x0
 02613  1124   NtSetEventBoostPriority  ... ) == 0x0
 02612  1792   NtWaitForSingleObject  ... ) == 0x102
 02615  1956   NtQueryInformationThread  (888, Basic, 28, ...
 02616  1200   NtSetEventBoostPriority  (88, ...
 02617   168   NtSetEventBoostPriority  (272, ...
 02618  1124   NtWaitForSingleObject  (272, 0, 0x0, ...
 02619  1792   NtWaitForSingleObject  (136, 0, 0x0, ...
 02615  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4f000,Pid=1292,Tid=900,}, 0x0, ) == 0x0
 02595  1336   NtWaitForSingleObject  ... ) == 0x0
 02617   168   NtSetEventBoostPriority  ... ) == 0x0
 02122  1920   NtWaitForSingleObject  ... ) == 0x0
 02616  1200   NtSetEventBoostPriority  ... ) == 0x0
 02620  1336   NtSetEventBoostPriority  (272, ...
 02621  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58102, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58102, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\14\5\0\0\204\3\0\0" ...  ...
 02622  1920   NtWaitForSingleObject  (272, 0, 0x0, ...
 02623   168   NtWaitForSingleObject  (272, 0, 0x0, ...
 02598  1284   NtWaitForSingleObject  ... ) == 0x0
 02620  1336   NtSetEventBoostPriority  ... ) == 0x0
 02624  1200   NtTestAlert  (...
 02621  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58103, 0}  ... {28, 56, reply, 0, 1292, 1956, 58103, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFGx\3\0\0\14\5\0\0\204\3\0\0" )  ) == 0x0
 02625  1284   NtSetEventBoostPriority  (272, ...
 02624  1200   NtTestAlert  ... ) == 0x0
 02601  1268   NtWaitForSingleObject  ... ) == 0x0
 02625  1284   NtSetEventBoostPriority  ... ) == 0x0
 02626  1956   NtResumeThread  (888, ...
 02627  1268   NtSetEventBoostPriority  (272, ...
 02628  1200   NtContinue  (90963248, 1, ...
 02629  1284   NtWaitForSingleObject  (272, 0, 0x0, ...
 02609   840   NtWaitForSingleObject  ... ) == 0x0
 02627  1268   NtSetEventBoostPriority  ... ) == 0x0
 02626  1956   NtResumeThread  ... 1, ) == 0x0
 02630  1200   NtRegisterThreadTerminatePort  (24, ...
 02631  1336   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02632   900   NtWaitForSingleObject  (88, 0, 0x0, ...
 02633   840   NtSetEventBoostPriority  (272, ...
 02634  1268   NtWaitForSingleObject  (272, 0, 0x0, ...
 02635  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02631  1336   NtDuplicateObject  ... 892, ) == 0x0
 02611  1520   NtWaitForSingleObject  ... ) == 0x0
 02633   840   NtSetEventBoostPriority  ... ) == 0x0
 02630  1200   NtRegisterThreadTerminatePort  ... ) == 0x0
 02635  1956   NtAllocateVirtualMemory  ... 121372672, 1048576, ) == 0x0
 02636  1520   NtSetEventBoostPriority  (272, ...
 02637  1336   NtWaitForSingleObject  (272, 0, 0x0, ...
 02638   840   NtWaitForSingleObject  (272, 0, 0x0, ...
 02639  1200   NtWaitForSingleObject  (272, 0, 0x0, ...
 02614  1496   NtWaitForSingleObject  ... ) == 0x0
 02636  1520   NtSetEventBoostPriority  ... ) == 0x0
 02640  1956   NtAllocateVirtualMemory  (-1, 122413056, 0, 8192, 4096, 4, ...
 02641  1496   NtSetEventBoostPriority  (272, ...
 02618  1124   NtWaitForSingleObject  ... ) == 0x0
 02642  1124   NtSetEventBoostPriority  (272, ...
 02622  1920   NtWaitForSingleObject  ... ) == 0x0
 02643  1920   NtSetEventBoostPriority  (272, ...
 02623   168   NtWaitForSingleObject  ... ) == 0x0
 02644   168   NtSetEventBoostPriority  (272, ...
 02629  1284   NtWaitForSingleObject  ... ) == 0x0
 02645  1284   NtSetEventBoostPriority  (272, ...
 02634  1268   NtWaitForSingleObject  ... ) == 0x0
 02646  1268   NtSetEventBoostPriority  (272, ...
 02637  1336   NtWaitForSingleObject  ... ) == 0x0
 02647  1336   NtSetEventBoostPriority  (272, ...
 02639  1200   NtWaitForSingleObject  ... ) == 0x0
 02648  1200   NtSetEventBoostPriority  (272, ...
 02638   840   NtWaitForSingleObject  ... ) == 0x0
 02649   840   NtWaitForSingleObject  (324, 0, 0x0, ...
 02648  1200   NtSetEventBoostPriority  ... ) == 0x0
 02647  1336   NtSetEventBoostPriority  ... ) == 0x0
 02643  1920   NtSetEventBoostPriority  ... ) == 0x0
 02640  1956   NtAllocateVirtualMemory  ... 122413056, 8192, ) == 0x0
 02646  1268   NtSetEventBoostPriority  ... ) == 0x0
 02645  1284   NtSetEventBoostPriority  ... ) == 0x0
 02644   168   NtSetEventBoostPriority  ... ) == 0x0
 02642  1124   NtSetEventBoostPriority  ... ) == 0x0
 02641  1496   NtSetEventBoostPriority  ... ) == 0x0
 02650  1520   NtSetEventBoostPriority  (324, ...
 02651  1200   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02652  1336   NtWaitForSingleObject  (324, 0, 0x0, ...
 02653  1956   NtProtectVirtualMemory  (-1, (0x74be000), 4096, 260, ...
 02654  1268   NtWaitForSingleObject  (324, 0, 0x0, ...
 02655  1284   NtWaitForSingleObject  (324, 0, 0x0, ...
 02656   168   NtWaitForSingleObject  (324, 0, 0x0, ...
 02657  1124   NtWaitForSingleObject  (324, 0, 0x0, ...
 02658  1496   NtWaitForSingleObject  (324, 0, 0x0, ...
 02504  1696   NtWaitForSingleObject  ... ) == 0x0
 02650  1520   NtSetEventBoostPriority  ... ) == 0x0
 02651  1200   NtDuplicateObject  ... 896, ) == 0x0
 02653  1956   NtProtectVirtualMemory  ... (0x74be000), 4096, 4, ) == 0x0
 02659  1696   NtSetEventBoostPriority  (324, ...
 02660  1520   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02661  1200   NtWaitForSingleObject  (324, 0, 0x0, ...
 02560  1744   NtWaitForSingleObject  ... ) == 0x0
 02659  1696   NtSetEventBoostPriority  ... ) == 0x0
 02662  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02660  1520   NtWaitForSingleObject  ... ) == 0x102
 02663  1744   NtSetEventBoostPriority  (324, ...
 02664  1920   NtSetEventBoostPriority  (88, ...
 02662  1956   NtCreateThread  ... 900, {1292, 1272}, ) == 0x0
 02649   840   NtWaitForSingleObject  ... ) == 0x0
 02663  1744   NtSetEventBoostPriority  ... ) == 0x0
 02665  1520   NtWaitForSingleObject  (136, 0, 0x0, ...
 02129   896   NtWaitForSingleObject  ... ) == 0x0
 02664  1920   NtSetEventBoostPriority  ... ) == 0x0
 02666  1696   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02667   840   NtSetEventBoostPriority  (324, ...
 02668  1956   NtQueryInformationThread  (900, Basic, 28, ...
 02669  1744   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02670   896   NtSetEventBoostPriority  (88, ...
 02671  1920   NtTestAlert  (...
 02652  1336   NtWaitForSingleObject  ... ) == 0x0
 02666  1696   NtWaitForSingleObject  ... ) == 0x102
 02668  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4e000,Pid=1292,Tid=1272,}, 0x0, ) == 0x0
 02138  2016   NtWaitForSingleObject  ... ) == 0x0
 02670   896   NtSetEventBoostPriority  ... ) == 0x0
 02669  1744   NtWaitForSingleObject  ... ) == 0x102
 02671  1920   NtTestAlert  ... ) == 0x0
 02672  1336   NtSetEventBoostPriority  (324, ...
 02673  1696   NtWaitForSingleObject  (136, 0, 0x0, ...
 02674  2016   NtAllocateVirtualMemory  (-1, 8810496, 0, 4096, 4096, 4, ...
 02675  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58103, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58103, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\14\5\0\0\370\4\0\0" ...  ...
 02667   840   NtSetEventBoostPriority  ... ) == 0x0
 02676  1744   NtWaitForSingleObject  (136, 0, 0x0, ...
 02677  1920   NtContinue  (92011824, 1, ...
 02654  1268   NtWaitForSingleObject  ... ) == 0x0
 02672  1336   NtSetEventBoostPriority  ... ) == 0x0
 02674  2016   NtAllocateVirtualMemory  ... 8810496, 4096, ) == 0x0
 02675  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58104, 0}  ... {28, 56, reply, 0, 1292, 1956, 58104, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\204\3\0\0\14\5\0\0\370\4\0\0" )  ) == 0x0
 02678   896   NtTestAlert  (...
 02679  1268   NtSetEventBoostPriority  (324, ...
 02680  1920   NtRegisterThreadTerminatePort  (24, ...
 02681  1336   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02682   840   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02683  1956   NtResumeThread  (900, ...
 02655  1284   NtWaitForSingleObject  ... ) == 0x0
 02679  1268   NtSetEventBoostPriority  ... ) == 0x0
 02678   896   NtTestAlert  ... ) == 0x0
 02684  2016   NtSetEventBoostPriority  (88, ...
 02680  1920   NtRegisterThreadTerminatePort  ... ) == 0x0
 02682   840   NtWaitForSingleObject  ... ) == 0x102
 02681  1336   NtWaitForSingleObject  ... ) == 0x102
 02685  1284   NtSetEventBoostPriority  (324, ...
 02683  1956   NtResumeThread  ... 1, ) == 0x0
 02686   896   NtContinue  (93060400, 1, ...
 02145  2012   NtWaitForSingleObject  ... ) == 0x0
 02684  2016   NtSetEventBoostPriority  ... ) == 0x0
 02687  1920   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02688   840   NtWaitForSingleObject  (136, 0, 0x0, ...
 02656   168   NtWaitForSingleObject  ... ) == 0x0
 02685  1284   NtSetEventBoostPriority  ... ) == 0x0
 02689  1336   NtWaitForSingleObject  (136, 0, 0x0, ...
 02690  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02691  2012   NtSetEventBoostPriority  (88, ...
 02692   896   NtRegisterThreadTerminatePort  (24, ...
 02693  2016   NtTestAlert  (...
 02687  1920   NtDuplicateObject  ... 904, ) == 0x0
 02694   168   NtSetEventBoostPriority  (324, ...
 02695  1268   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02696  1272   NtWaitForSingleObject  (88, 0, 0x0, ...
 02154  1604   NtWaitForSingleObject  ... ) == 0x0
 02691  2012   NtSetEventBoostPriority  ... ) == 0x0
 02690  1956   NtAllocateVirtualMemory  ... 122421248, 1048576, ) == 0x0
 02692   896   NtRegisterThreadTerminatePort  ... ) == 0x0
 02693  2016   NtTestAlert  ... ) == 0x0
 02657  1124   NtWaitForSingleObject  ... ) == 0x0
 02694   168   NtSetEventBoostPriority  ... ) == 0x0
 02697  1920   NtAllocateVirtualMemory  (-1, 1413120, 0, 4096, 4096, 4, ...
 02695  1268   NtWaitForSingleObject  ... ) == 0x102
 02698  1604   NtWaitForSingleObject  (272, 0, 0x0, ...
 02699  1284   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02700  1956   NtAllocateVirtualMemory  (-1, 123461632, 0, 8192, 4096, 4, ...
 02701   896   NtWaitForSingleObject  (272, 0, 0x0, ...
 02702  1124   NtWaitForSingleObject  (272, 0, 0x0, ...
 02703  2016   NtContinue  (94108976, 1, ...
 02704  2012   NtTestAlert  (...
 02697  1920   NtAllocateVirtualMemory  ... 1413120, 4096, ) == 0x0
 02705  1268   NtWaitForSingleObject  (272, 0, 0x0, ...
 02699  1284   NtWaitForSingleObject  ... ) == 0x102
 02700  1956   NtAllocateVirtualMemory  ... 123461632, 8192, ) == 0x0
 02706   168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02707  2016   NtRegisterThreadTerminatePort  (24, ...
 02704  2012   NtTestAlert  ... ) == 0x0
 02708  1920   NtSetEventBoostPriority  (272, ...
 02709  1284   NtWaitForSingleObject  (272, 0, 0x0, ...
 02710  1956   NtProtectVirtualMemory  (-1, (0x75be000), 4096, 260, ...
 02706   168   NtWaitForSingleObject  ... ) == 0x102
 02711  2012   NtContinue  (95157552, 1, ...
 02707  2016   NtRegisterThreadTerminatePort  ... ) == 0x0
 02698  1604   NtWaitForSingleObject  ... ) == 0x0
 02708  1920   NtSetEventBoostPriority  ... ) == 0x0
 02712   168   NtWaitForSingleObject  (272, 0, 0x0, ...
 02713  2012   NtRegisterThreadTerminatePort  (24, ...
 02714  1604   NtSetEventBoostPriority  (272, ...
 02715  2016   NtWaitForSingleObject  (272, 0, 0x0, ...
 02716  1920   NtWaitForSingleObject  (272, 0, 0x0, ...
 02702  1124   NtWaitForSingleObject  ... ) == 0x0
 02714  1604   NtSetEventBoostPriority  ... ) == 0x0
 02713  2012   NtRegisterThreadTerminatePort  ... ) == 0x0
 02717  1124   NtSetEventBoostPriority  (272, ...
 02710  1956   NtProtectVirtualMemory  ... (0x75be000), 4096, 4, ) == 0x0
 02705  1268   NtWaitForSingleObject  ... ) == 0x0
 02717  1124   NtSetEventBoostPriority  ... ) == 0x0
 02718  2012   NtWaitForSingleObject  (272, 0, 0x0, ...
 02719  1268   NtSetEventBoostPriority  (272, ...
 02720  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02721  1604   NtSetEventBoostPriority  (88, ...
 02722  1124   NtSetEventBoostPriority  (324, ...
 02701   896   NtWaitForSingleObject  ... ) == 0x0
 02719  1268   NtSetEventBoostPriority  ... ) == 0x0
 02720  1956   NtCreateThread  ... 908, {1292, 1240}, ) == 0x0
 02161  1572   NtWaitForSingleObject  ... ) == 0x0
 02721  1604   NtSetEventBoostPriority  ... ) == 0x0
 02723   896   NtSetEventBoostPriority  (272, ...
 02658  1496   NtWaitForSingleObject  ... ) == 0x0
 02722  1124   NtSetEventBoostPriority  ... ) == 0x0
 02724  1572   NtWaitForSingleObject  (272, 0, 0x0, ...
 02725  1956   NtQueryInformationThread  (908, Basic, 28, ...
 02709  1284   NtWaitForSingleObject  ... ) == 0x0
 02726  1496   NtWaitForSingleObject  (272, 0, 0x0, ...
 02727  1604   NtTestAlert  (...
 02728  1124   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02725  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4d000,Pid=1292,Tid=1240,}, 0x0, ) == 0x0
 02729  1284   NtSetEventBoostPriority  (272, ...
 02727  1604   NtTestAlert  ... ) == 0x0
 02728  1124   NtWaitForSingleObject  ... ) == 0x102
 02730  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58104, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58104, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\14\5\0\0\330\4\0\0" ...  ...
 02712   168   NtWaitForSingleObject  ... ) == 0x0
 02729  1284   NtSetEventBoostPriority  ... ) == 0x0
 02731  1604   NtContinue  (96206128, 1, ...
 02732  1124   NtWaitForSingleObject  (136, 0, 0x0, ...
 02723   896   NtSetEventBoostPriority  ... ) == 0x0
 02733  1268   NtWaitForSingleObject  (136, 0, 0x0, ...
 02734   168   NtSetEventBoostPriority  (272, ...
 02730  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58105, 0}  ... {28, 56, reply, 0, 1292, 1956, 58105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\214\3\0\0\14\5\0\0\330\4\0\0" )  ) == 0x0
 02735  1604   NtRegisterThreadTerminatePort  (24, ...
 02736  1284   NtWaitForSingleObject  (136, 0, 0x0, ...
 02737   896   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02715  2016   NtWaitForSingleObject  ... ) == 0x0
 02734   168   NtSetEventBoostPriority  ... ) == 0x0
 02738  1956   NtResumeThread  (908, ...
 02739  2016   NtSetEventBoostPriority  (272, ...
 02737   896   NtDuplicateObject  ... 912, ) == 0x0
 02735  1604   NtRegisterThreadTerminatePort  ... ) == 0x0
 02716  1920   NtWaitForSingleObject  ... ) == 0x0
 02739  2016   NtSetEventBoostPriority  ... ) == 0x0
 02738  1956   NtResumeThread  ... 1, ) == 0x0
 02740   168   NtWaitForSingleObject  (136, 0, 0x0, ...
 02741  1920   NtSetEventBoostPriority  (272, ...
 02742  1604   NtWaitForSingleObject  (272, 0, 0x0, ...
 02743   896   NtWaitForSingleObject  (272, 0, 0x0, ...
 02744  1240   NtWaitForSingleObject  (88, 0, 0x0, ...
 02745  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02718  2012   NtWaitForSingleObject  ... ) == 0x0
 02741  1920   NtSetEventBoostPriority  ... ) == 0x0
 02746  2012   NtSetEventBoostPriority  (272, ...
 02745  1956   NtAllocateVirtualMemory  ... 123469824, 1048576, ) == 0x0
 02747  2016   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02724  1572   NtWaitForSingleObject  ... ) == 0x0
 02746  2012   NtSetEventBoostPriority  ... ) == 0x0
 02748  1920   NtWaitForSingleObject  (324, 0, 0x0, ...
 02749  1572   NtSetEventBoostPriority  (272, ...
 02747  2016   NtDuplicateObject  ... 916, ) == 0x0
 02750  2012   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02726  1496   NtWaitForSingleObject  ... ) == 0x0
 02749  1572   NtSetEventBoostPriority  ... ) == 0x0
 02751  2016   NtWaitForSingleObject  (272, 0, 0x0, ...
 02752  1496   NtSetEventBoostPriority  (272, ...
 02750  2012   NtDuplicateObject  ... 920, ) == 0x0
 02753  1956   NtAllocateVirtualMemory  (-1, 124510208, 0, 8192, 4096, 4, ...
 02742  1604   NtWaitForSingleObject  ... ) == 0x0
 02752  1496   NtSetEventBoostPriority  ... ) == 0x0
 02754  1572   NtSetEventBoostPriority  (88, ...
 02755  1604   NtSetEventBoostPriority  (272, ...
 02753  1956   NtAllocateVirtualMemory  ... 124510208, 8192, ) == 0x0
 02756  2012   NtWaitForSingleObject  (272, 0, 0x0, ...
 02743   896   NtWaitForSingleObject  ... ) == 0x0
 02755  1604   NtSetEventBoostPriority  ... ) == 0x0
 02170   596   NtWaitForSingleObject  ... ) == 0x0
 02754  1572   NtSetEventBoostPriority  ... ) == 0x0
 02757  1956   NtProtectVirtualMemory  (-1, (0x76be000), 4096, 260, ...
 02758   896   NtSetEventBoostPriority  (272, ...
 02759  1496   NtSetEventBoostPriority  (324, ...
 02760   596   NtWaitForSingleObject  (272, 0, 0x0, ...
 02761  1572   NtTestAlert  (...
 02751  2016   NtWaitForSingleObject  ... ) == 0x0
 02758   896   NtSetEventBoostPriority  ... ) == 0x0
 02757  1956   NtProtectVirtualMemory  ... (0x76be000), 4096, 4, ) == 0x0
 02661  1200   NtWaitForSingleObject  ... ) == 0x0
 02759  1496   NtSetEventBoostPriority  ... ) == 0x0
 02762  2016   NtSetEventBoostPriority  (272, ...
 02761  1572   NtTestAlert  ... ) == 0x0
 02763   896   NtWaitForSingleObject  (272, 0, 0x0, ...
 02764  1200   NtWaitForSingleObject  (272, 0, 0x0, ...
 02765  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02756  2012   NtWaitForSingleObject  ... ) == 0x0
 02762  2016   NtSetEventBoostPriority  ... ) == 0x0
 02766  1496   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02767  1572   NtContinue  (97254704, 1, ...
 02768  1604   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02769  2012   NtSetEventBoostPriority  (272, ...
 02765  1956   NtCreateThread  ... 924, {1292, 1776}, ) == 0x0
 02766  1496   NtWaitForSingleObject  ... ) == 0x102
 02770  1572   NtRegisterThreadTerminatePort  (24, ...
 02760   596   NtWaitForSingleObject  ... ) == 0x0
 02769  2012   NtSetEventBoostPriority  ... ) == 0x0
 02768  1604   NtDuplicateObject  ... 928, ) == 0x0
 02771  2016   NtWaitForSingleObject  (272, 0, 0x0, ...
 02772  1496   NtWaitForSingleObject  (272, 0, 0x0, ...
 02773  1956   NtQueryInformationThread  (924, Basic, 28, ...
 02774   596   NtSetEventBoostPriority  (272, ...
 02775  2012   NtWaitForSingleObject  (272, 0, 0x0, ...
 02776  1604   NtWaitForSingleObject  (272, 0, 0x0, ...
 02770  1572   NtRegisterThreadTerminatePort  ... ) == 0x0
 02764  1200   NtWaitForSingleObject  ... ) == 0x0
 02774   596   NtSetEventBoostPriority  ... ) == 0x0
 02773  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4c000,Pid=1292,Tid=1776,}, 0x0, ) == 0x0
 02777  1200   NtSetEventBoostPriority  (272, ...
 02778  1572   NtWaitForSingleObject  (272, 0, 0x0, ...
 02763   896   NtWaitForSingleObject  ... ) == 0x0
 02777  1200   NtSetEventBoostPriority  ... ) == 0x0
 02779  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58105, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58105, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\14\5\0\0\360\6\0\0" ...  ...
 02780   896   NtSetEventBoostPriority  (272, ...
 02781   596   NtSetEventBoostPriority  (88, ...
 02771  2016   NtWaitForSingleObject  ... ) == 0x0
 02779  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58106, 0}  ... {28, 56, reply, 0, 1292, 1956, 58106, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\234\3\0\0\14\5\0\0\360\6\0\0" )  ) == 0x0
 02177   376   NtWaitForSingleObject  ... ) == 0x0
 02781   596   NtSetEventBoostPriority  ... ) == 0x0
 02782  2016   NtSetEventBoostPriority  (272, ...
 02783   376   NtWaitForSingleObject  (272, 0, 0x0, ...
 02784  1956   NtResumeThread  (924, ...
 02785   596   NtTestAlert  (...
 02772  1496   NtWaitForSingleObject  ... ) == 0x0
 02782  2016   NtSetEventBoostPriority  ... ) == 0x0
 02780   896   NtSetEventBoostPriority  ... ) == 0x0
 02786  1200   NtSetEventBoostPriority  (324, ...
 02787  1496   NtSetEventBoostPriority  (272, ...
 02785   596   NtTestAlert  ... ) == 0x0
 02788  2016   NtWaitForSingleObject  (272, 0, 0x0, ...
 02789   896   NtWaitForSingleObject  (272, 0, 0x0, ...
 02776  1604   NtWaitForSingleObject  ... ) == 0x0
 02748  1920   NtWaitForSingleObject  ... ) == 0x0
 02786  1200   NtSetEventBoostPriority  ... ) == 0x0
 02790   596   NtContinue  (98303280, 1, ...
 02787  1496   NtSetEventBoostPriority  ... ) == 0x0
 02784  1956   NtResumeThread  ... 1, ) == 0x0
 02791  1920   NtWaitForSingleObject  (272, 0, 0x0, ...
 02792  1604   NtSetEventBoostPriority  (272, ...
 02793  1200   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02794   596   NtRegisterThreadTerminatePort  (24, ...
 02795  1496   NtWaitForSingleObject  (136, 0, 0x0, ...
 02796  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02775  2012   NtWaitForSingleObject  ... ) == 0x0
 02792  1604   NtSetEventBoostPriority  ... ) == 0x0
 02793  1200   NtWaitForSingleObject  ... ) == 0x102
 02797  1776   NtWaitForSingleObject  (88, 0, 0x0, ...
 02798  2012   NtSetEventBoostPriority  (272, ...
 02796  1956   NtAllocateVirtualMemory  ... 124518400, 1048576, ) == 0x0
 02794   596   NtRegisterThreadTerminatePort  ... ) == 0x0
 02799  1200   NtWaitForSingleObject  (136, 0, 0x0, ...
 02778  1572   NtWaitForSingleObject  ... ) == 0x0
 02800  1956   NtAllocateVirtualMemory  (-1, 125558784, 0, 8192, 4096, 4, ...
 02801   596   NtWaitForSingleObject  (272, 0, 0x0, ...
 02798  2012   NtSetEventBoostPriority  ... ) == 0x0
 02802  1604   NtWaitForSingleObject  (272, 0, 0x0, ...
 02803  1572   NtSetEventBoostPriority  (272, ...
 02800  1956   NtAllocateVirtualMemory  ... 125558784, 8192, ) == 0x0
 02804  2012   NtWaitForSingleObject  (272, 0, 0x0, ...
 02783   376   NtWaitForSingleObject  ... ) == 0x0
 02803  1572   NtSetEventBoostPriority  ... ) == 0x0
 02805  1956   NtProtectVirtualMemory  (-1, (0x77be000), 4096, 260, ...
 02806   376   NtSetEventBoostPriority  (272, ...
 02807  1572   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02789   896   NtWaitForSingleObject  ... ) == 0x0
 02806   376   NtSetEventBoostPriority  ... ) == 0x0
 02808   896   NtSetEventBoostPriority  (272, ...
 02807  1572   NtDuplicateObject  ... 932, ) == 0x0
 02805  1956   NtProtectVirtualMemory  ... (0x77be000), 4096, 4, ) == 0x0
 02791  1920   NtWaitForSingleObject  ... ) == 0x0
 02808   896   NtSetEventBoostPriority  ... ) == 0x0
 02809  1572   NtWaitForSingleObject  (272, 0, 0x0, ...
 02810  1920   NtSetEventBoostPriority  (272, ...
 02811  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02812   376   NtSetEventBoostPriority  (88, ...
 02788  2016   NtWaitForSingleObject  ... ) == 0x0
 02810  1920   NtSetEventBoostPriority  ... ) == 0x0
 02811  1956   NtCreateThread  ... 936, {1292, 1324}, ) == 0x0
 02813  2016   NtSetEventBoostPriority  (272, ...
 02186  1168   NtWaitForSingleObject  ... ) == 0x0
 02812   376   NtSetEventBoostPriority  ... ) == 0x0
 02814   896   NtWaitForSingleObject  (324, 0, 0x0, ...
 02801   596   NtWaitForSingleObject  ... ) == 0x0
 02815  1168   NtWaitForSingleObject  (272, 0, 0x0, ...
 02816  1956   NtQueryInformationThread  (936, Basic, 28, ...
 02817   376   NtTestAlert  (...
 02818   596   NtSetEventBoostPriority  (272, ...
 02816  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4b000,Pid=1292,Tid=1324,}, 0x0, ) == 0x0
 02817   376   NtTestAlert  ... ) == 0x0
 02802  1604   NtWaitForSingleObject  ... ) == 0x0
 02818   596   NtSetEventBoostPriority  ... ) == 0x0
 02819  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58106, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58106, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\14\5\0\0,\5\0\0" ...  ...
 02820  1604   NtSetEventBoostPriority  (272, ...
 02821   376   NtContinue  (99351856, 1, ...
 02813  2016   NtSetEventBoostPriority  ... ) == 0x0
 02822  1920   NtSetEventBoostPriority  (324, ...
 02823   596   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02804  2012   NtWaitForSingleObject  ... ) == 0x0
 02820  1604   NtSetEventBoostPriority  ... ) == 0x0
 02824   376   NtRegisterThreadTerminatePort  (24, ...
 02825  2016   NtWaitForSingleObject  (324, 0, 0x0, ...
 02814   896   NtWaitForSingleObject  ... ) == 0x0
 02822  1920   NtSetEventBoostPriority  ... ) == 0x0
 02826  2012   NtSetEventBoostPriority  (272, ...
 02823   596   NtDuplicateObject  ... 940, ) == 0x0
 02827  1604   NtWaitForSingleObject  (324, 0, 0x0, ...
 02819  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58107, 0}  ... {28, 56, reply, 0, 1292, 1956, 58107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\250\3\0\0\14\5\0\0,\5\0\0" )  ) == 0x0
 02828   896   NtWaitForSingleObject  (272, 0, 0x0, ...
 02809  1572   NtWaitForSingleObject  ... ) == 0x0
 02826  2012   NtSetEventBoostPriority  ... ) == 0x0
 02829  1920   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02830   596   NtWaitForSingleObject  (272, 0, 0x0, ...
 02824   376   NtRegisterThreadTerminatePort  ... ) == 0x0
 02831  1572   NtSetEventBoostPriority  (272, ...
 02832  1956   NtResumeThread  (936, ...
 02829  1920   NtWaitForSingleObject  ... ) == 0x102
 02815  1168   NtWaitForSingleObject  ... ) == 0x0
 02831  1572   NtSetEventBoostPriority  ... ) == 0x0
 02833   376   NtWaitForSingleObject  (272, 0, 0x0, ...
 02832  1956   NtResumeThread  ... 1, ) == 0x0
 02834  1168   NtSetEventBoostPriority  (272, ...
 02835  1920   NtWaitForSingleObject  (272, 0, 0x0, ...
 02836  2012   NtWaitForSingleObject  (324, 0, 0x0, ...
 02837  1324   NtWaitForSingleObject  (88, 0, 0x0, ...
 02828   896   NtWaitForSingleObject  ... ) == 0x0
 02834  1168   NtSetEventBoostPriority  ... ) == 0x0
 02838  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02839  1572   NtWaitForSingleObject  (324, 0, 0x0, ...
 02840   896   NtSetEventBoostPriority  (272, ...
 02838  1956   NtAllocateVirtualMemory  ... 125566976, 1048576, ) == 0x0
 02830   596   NtWaitForSingleObject  ... ) == 0x0
 02840   896   NtSetEventBoostPriority  ... ) == 0x0
 02841  1168   NtSetEventBoostPriority  (88, ...
 02842   596   NtSetEventBoostPriority  (272, ...
 02843  1956   NtAllocateVirtualMemory  (-1, 126607360, 0, 8192, 4096, 4, ...
 02833   376   NtWaitForSingleObject  ... ) == 0x0
 02842   596   NtSetEventBoostPriority  ... ) == 0x0
 02193   428   NtWaitForSingleObject  ... ) == 0x0
 02841  1168   NtSetEventBoostPriority  ... ) == 0x0
 02844   376   NtSetEventBoostPriority  (272, ...
 02843  1956   NtAllocateVirtualMemory  ... 126607360, 8192, ) == 0x0
 02845   896   NtSetEventBoostPriority  (324, ...
 02846   428   NtWaitForSingleObject  (272, 0, 0x0, ...
 02835  1920   NtWaitForSingleObject  ... ) == 0x0
 02844   376   NtSetEventBoostPriority  ... ) == 0x0
 02847  1168   NtTestAlert  (...
 02848  1956   NtProtectVirtualMemory  (-1, (0x78be000), 4096, 260, ...
 02849  1920   NtSetEventBoostPriority  (272, ...
 02825  2016   NtWaitForSingleObject  ... ) == 0x0
 02845   896   NtSetEventBoostPriority  ... ) == 0x0
 02850   596   NtWaitForSingleObject  (272, 0, 0x0, ...
 02847  1168   NtTestAlert  ... ) == 0x0
 02846   428   NtWaitForSingleObject  ... ) == 0x0
 02851  2016   NtWaitForSingleObject  (272, 0, 0x0, ...
 02848  1956   NtProtectVirtualMemory  ... (0x78be000), 4096, 4, ) == 0x0
 02852   896   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02853   428   NtSetEventBoostPriority  (272, ...
 02854  1168   NtContinue  (100400432, 1, ...
 02855  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02850   596   NtWaitForSingleObject  ... ) == 0x0
 02853   428   NtSetEventBoostPriority  ... ) == 0x0
 02852   896   NtWaitForSingleObject  ... ) == 0x102
 02856  1168   NtRegisterThreadTerminatePort  (24, ...
 02857   596   NtSetEventBoostPriority  (272, ...
 02855  1956   NtCreateThread  ... 944, {1292, 1884}, ) == 0x0
 02849  1920   NtSetEventBoostPriority  ... ) == 0x0
 02858   376   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02859   896   NtWaitForSingleObject  (136, 0, 0x0, ...
 02860   428   NtSetEventBoostPriority  (88, ...
 02851  2016   NtWaitForSingleObject  ... ) == 0x0
 02857   596   NtSetEventBoostPriority  ... ) == 0x0
 02856  1168   NtRegisterThreadTerminatePort  ... ) == 0x0
 02861  1920   NtWaitForSingleObject  (136, 0, 0x0, ...
 02858   376   NtDuplicateObject  ... 948, ) == 0x0
 02862  1956   NtQueryInformationThread  (944, Basic, 28, ...
 02863  2016   NtSetEventBoostPriority  (324, ...
 02202  1344   NtWaitForSingleObject  ... ) == 0x0
 02860   428   NtSetEventBoostPriority  ... ) == 0x0
 02864   596   NtWaitForSingleObject  (324, 0, 0x0, ...
 02865  1168   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02866   376   NtWaitForSingleObject  (324, 0, 0x0, ...
 02827  1604   NtWaitForSingleObject  ... ) == 0x0
 02867  1344   NtSetEventBoostPriority  (88, ...
 02863  2016   NtSetEventBoostPriority  ... ) == 0x0
 02862  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff4a000,Pid=1292,Tid=1884,}, 0x0, ) == 0x0
 02868   428   NtTestAlert  (...
 02865  1168   NtDuplicateObject  ... 952, ) == 0x0
 02869  1604   NtSetEventBoostPriority  (324, ...
 02209  1300   NtWaitForSingleObject  ... ) == 0x0
 02867  1344   NtSetEventBoostPriority  ... ) == 0x0
 02870  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58107, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58107, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\14\5\0\0\\7\0\0" ...  ...
 02868   428   NtTestAlert  ... ) == 0x0
 02836  2012   NtWaitForSingleObject  ... ) == 0x0
 02871  1300   NtSetEventBoostPriority  (88, ...
 02872  1168   NtWaitForSingleObject  (324, 0, 0x0, ...
 02869  1604   NtSetEventBoostPriority  ... ) == 0x0
 02873  2016   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02870  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58108, 0}  ... {28, 56, reply, 0, 1292, 1956, 58108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\260\3\0\0\14\5\0\0\\7\0\0" )  ) == 0x0
 02874   428   NtContinue  (101449008, 1, ...
 02218  1096   NtWaitForSingleObject  ... ) == 0x0
 02871  1300   NtSetEventBoostPriority  ... ) == 0x0
 02875  2012   NtSetEventBoostPriority  (324, ...
 02876  1604   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02873  2016   NtWaitForSingleObject  ... ) == 0x102
 02877  1956   NtResumeThread  (944, ...
 02878  1096   NtSetEventBoostPriority  (88, ...
 02879   428   NtRegisterThreadTerminatePort  (24, ...
 02880  1344   NtTestAlert  (...
 02839  1572   NtWaitForSingleObject  ... ) == 0x0
 02875  2012   NtSetEventBoostPriority  ... ) == 0x0
 02881  2016   NtWaitForSingleObject  (136, 0, 0x0, ...
 02882  1300   NtTestAlert  (...
 02876  1604   NtWaitForSingleObject  ... ) == 0x102
 02225   252   NtWaitForSingleObject  ... ) == 0x0
 02878  1096   NtSetEventBoostPriority  ... ) == 0x0
 02877  1956   NtResumeThread  ... 1, ) == 0x0
 02883  1572   NtSetEventBoostPriority  (324, ...
 02880  1344   NtTestAlert  ... ) == 0x0
 02884  2012   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02882  1300   NtTestAlert  ... ) == 0x0
 02885   252   NtSetEventBoostPriority  (88, ...
 02886  1604   NtWaitForSingleObject  (136, 0, 0x0, ...
 02879   428   NtRegisterThreadTerminatePort  ... ) == 0x0
 02887  1884   NtWaitForSingleObject  (88, 0, 0x0, ...
 02866   376   NtWaitForSingleObject  ... ) == 0x0
 02883  1572   NtSetEventBoostPriority  ... ) == 0x0
 02888  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02889  1344   NtContinue  (102497584, 1, ...
 02890  1096   NtTestAlert  (...
 02234   500   NtWaitForSingleObject  ... ) == 0x0
 02885   252   NtSetEventBoostPriority  ... ) == 0x0
 02891  1300   NtContinue  (103546160, 1, ...
 02892   428   NtAllocateVirtualMemory  (-1, 1417216, 0, 4096, 4096, 4, ...
 02893   376   NtWaitForSingleObject  (272, 0, 0x0, ...
 02894  1572   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02888  1956   NtAllocateVirtualMemory  ... 126615552, 1048576, ) == 0x0
 02895  1344   NtRegisterThreadTerminatePort  (24, ...
 02896   500   NtWaitForSingleObject  (272, 0, 0x0, ...
 02890  1096   NtTestAlert  ... ) == 0x0
 02884  2012   NtWaitForSingleObject  ... ) == 0x102
 02897  1300   NtRegisterThreadTerminatePort  (24, ...
 02892   428   NtAllocateVirtualMemory  ... 1417216, 4096, ) == 0x0
 02898   252   NtTestAlert  (...
 02899  1956   NtAllocateVirtualMemory  (-1, 127655936, 0, 8192, 4096, 4, ...
 02895  1344   NtRegisterThreadTerminatePort  ... ) == 0x0
 02900  1096   NtContinue  (104594736, 1, ...
 02901  2012   NtWaitForSingleObject  (272, 0, 0x0, ...
 02897  1300   NtRegisterThreadTerminatePort  ... ) == 0x0
 02902   428   NtSetEventBoostPriority  (272, ...
 02898   252   NtTestAlert  ... ) == 0x0
 02899  1956   NtAllocateVirtualMemory  ... 127655936, 8192, ) == 0x0
 02903  1344   NtWaitForSingleObject  (272, 0, 0x0, ...
 02904  1096   NtRegisterThreadTerminatePort  (24, ...
 02905  1300   NtWaitForSingleObject  (272, 0, 0x0, ...
 02893   376   NtWaitForSingleObject  ... ) == 0x0
 02902   428   NtSetEventBoostPriority  ... ) == 0x0
 02906   252   NtContinue  (105643312, 1, ...
 02907  1956   NtProtectVirtualMemory  (-1, (0x79be000), 4096, 260, ...
 02894  1572   NtWaitForSingleObject  ... ) == 0x102
 02904  1096   NtRegisterThreadTerminatePort  ... ) == 0x0
 02908   376   NtSetEventBoostPriority  (272, ...
 02909   428   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02910   252   NtRegisterThreadTerminatePort  (24, ...
 02911  1572   NtWaitForSingleObject  (272, 0, 0x0, ...
 02896   500   NtWaitForSingleObject  ... ) == 0x0
 02908   376   NtSetEventBoostPriority  ... ) == 0x0
 02912  1096   NtWaitForSingleObject  (272, 0, 0x0, ...
 02907  1956   NtProtectVirtualMemory  ... (0x79be000), 4096, 4, ) == 0x0
 02910   252   NtRegisterThreadTerminatePort  ... ) == 0x0
 02913   500   NtSetEventBoostPriority  (272, ...
 02909   428   NtDuplicateObject  ... 956, ) == 0x0
 02914   376   NtSetEventBoostPriority  (324, ...
 02915  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02901  2012   NtWaitForSingleObject  ... ) == 0x0
 02913   500   NtSetEventBoostPriority  ... ) == 0x0
 02916   252   NtWaitForSingleObject  (272, 0, 0x0, ...
 02917   428   NtWaitForSingleObject  (272, 0, 0x0, ...
 02864   596   NtWaitForSingleObject  ... ) == 0x0
 02914   376   NtSetEventBoostPriority  ... ) == 0x0
 02918  2012   NtSetEventBoostPriority  (272, ...
 02915  1956   NtCreateThread  ... 960, {1292, 248}, ) == 0x0
 02919   500   NtSetEventBoostPriority  (88, ...
 02920   596   NtWaitForSingleObject  (272, 0, 0x0, ...
 02903  1344   NtWaitForSingleObject  ... ) == 0x0
 02918  2012   NtSetEventBoostPriority  ... ) == 0x0
 02921   376   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02922  1956   NtQueryInformationThread  (960, Basic, 28, ...
 02923  1344   NtSetEventBoostPriority  (272, ...
 02241  1132   NtWaitForSingleObject  ... ) == 0x0
 02919   500   NtSetEventBoostPriority  ... ) == 0x0
 02921   376   NtWaitForSingleObject  ... ) == 0x102
 02905  1300   NtWaitForSingleObject  ... ) == 0x0
 02924  1132   NtWaitForSingleObject  (272, 0, 0x0, ...
 02922  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff49000,Pid=1292,Tid=248,}, 0x0, ) == 0x0
 02925   500   NtTestAlert  (...
 02926   376   NtWaitForSingleObject  (272, 0, 0x0, ...
 02927  1300   NtSetEventBoostPriority  (272, ...
 02928  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58108, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58108, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\14\5\0\0\370\0\0\0" ...  ...
 02925   500   NtTestAlert  ... ) == 0x0
 02923  1344   NtSetEventBoostPriority  ... ) == 0x0
 02929  2012   NtWaitForSingleObject  (136, 0, 0x0, ...
 02911  1572   NtWaitForSingleObject  ... ) == 0x0
 02927  1300   NtSetEventBoostPriority  ... ) == 0x0
 02930   500   NtContinue  (106691888, 1, ...
 02931  1344   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02932  1572   NtSetEventBoostPriority  (272, ...
 02933  1300   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02934   500   NtRegisterThreadTerminatePort  (24, ...
 02931  1344   NtDuplicateObject  ... 964, ) == 0x0
 02912  1096   NtWaitForSingleObject  ... ) == 0x0
 02932  1572   NtSetEventBoostPriority  ... ) == 0x0
 02933  1300   NtDuplicateObject  ... 968, ) == 0x0
 02928  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58109, 0}  ... {28, 56, reply, 0, 1292, 1956, 58109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\300\3\0\0\14\5\0\0\370\0\0\0" )  ) == 0x0
 02934   500   NtRegisterThreadTerminatePort  ... ) == 0x0
 02935  1096   NtSetEventBoostPriority  (272, ...
 02936  1344   NtWaitForSingleObject  (272, 0, 0x0, ...
 02937  1572   NtWaitForSingleObject  (136, 0, 0x0, ...
 02938  1956   NtResumeThread  (960, ...
 02917   428   NtWaitForSingleObject  ... ) == 0x0
 02939   500   NtWaitForSingleObject  (272, 0, 0x0, ...
 02938  1956   NtResumeThread  ... 1, ) == 0x0
 02940   428   NtSetEventBoostPriority  (272, ...
 02941  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02920   596   NtWaitForSingleObject  ... ) == 0x0
 02940   428   NtSetEventBoostPriority  ... ) == 0x0
 02942   596   NtSetEventBoostPriority  (272, ...
 02941  1956   NtAllocateVirtualMemory  ... 127664128, 1048576, ) == 0x0
 02935  1096   NtSetEventBoostPriority  ... ) == 0x0
 02943  1300   NtWaitForSingleObject  (272, 0, 0x0, ...
 02944   248   NtWaitForSingleObject  (88, 0, 0x0, ...
 02916   252   NtWaitForSingleObject  ... ) == 0x0
 02942   596   NtSetEventBoostPriority  ... ) == 0x0
 02945   428   NtWaitForSingleObject  (272, 0, 0x0, ...
 02946  1096   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02947   252   NtSetEventBoostPriority  (272, ...
 02948  1956   NtAllocateVirtualMemory  (-1, 128704512, 0, 8192, 4096, 4, ...
 02946  1096   NtDuplicateObject  ... 972, ) == 0x0
 02924  1132   NtWaitForSingleObject  ... ) == 0x0
 02948  1956   NtAllocateVirtualMemory  ... 128704512, 8192, ) == 0x0
 02947   252   NtSetEventBoostPriority  ... ) == 0x0
 02949   596   NtSetEventBoostPriority  (324, ...
 02950  1132   NtSetEventBoostPriority  (272, ...
 02951  1956   NtProtectVirtualMemory  (-1, (0x7abe000), 4096, 260, ...
 02952   252   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02926   376   NtWaitForSingleObject  ... ) == 0x0
 02950  1132   NtSetEventBoostPriority  ... ) == 0x0
 02872  1168   NtWaitForSingleObject  ... ) == 0x0
 02949   596   NtSetEventBoostPriority  ... ) == 0x0
 02951  1956   NtProtectVirtualMemory  ... (0x7abe000), 4096, 4, ) == 0x0
 02953   376   NtSetEventBoostPriority  (272, ...
 02952   252   NtDuplicateObject  ... 976, ) == 0x0
 02954  1096   NtWaitForSingleObject  (272, 0, 0x0, ...
 02955  1168   NtWaitForSingleObject  (272, 0, 0x0, ...
 02956   596   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02936  1344   NtWaitForSingleObject  ... ) == 0x0
 02957  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02953   376   NtSetEventBoostPriority  ... ) == 0x0
 02958  1132   NtSetEventBoostPriority  (88, ...
 02956   596   NtWaitForSingleObject  ... ) == 0x102
 02959  1344   NtSetEventBoostPriority  (272, ...
 02957  1956   NtCreateThread  ... 980, {1292, 1652}, ) == 0x0
 02960   376   NtWaitForSingleObject  (136, 0, 0x0, ...
 02250  1024   NtWaitForSingleObject  ... ) == 0x0
 02958  1132   NtSetEventBoostPriority  ... ) == 0x0
 02961   596   NtWaitForSingleObject  (272, 0, 0x0, ...
 02939   500   NtWaitForSingleObject  ... ) == 0x0
 02959  1344   NtSetEventBoostPriority  ... ) == 0x0
 02962   252   NtWaitForSingleObject  (272, 0, 0x0, ...
 02963  1024   NtWaitForSingleObject  (272, 0, 0x0, ...
 02964  1132   NtTestAlert  (...
 02965  1956   NtQueryInformationThread  (980, Basic, 28, ...
 02966   500   NtSetEventBoostPriority  (272, ...
 02967  1344   NtWaitForSingleObject  (272, 0, 0x0, ...
 02964  1132   NtTestAlert  ... ) == 0x0
 02943  1300   NtWaitForSingleObject  ... ) == 0x0
 02966   500   NtSetEventBoostPriority  ... ) == 0x0
 02965  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff48000,Pid=1292,Tid=1652,}, 0x0, ) == 0x0
 02968  1300   NtSetEventBoostPriority  (272, ...
 02969  1132   NtContinue  (107740464, 1, ...
 02945   428   NtWaitForSingleObject  ... ) == 0x0
 02968  1300   NtSetEventBoostPriority  ... ) == 0x0
 02970  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58109, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58109, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\14\5\0\0t\6\0\0" ...  ...
 02971   428   NtSetEventBoostPriority  (272, ...
 02972  1132   NtRegisterThreadTerminatePort  (24, ...
 02973  1300   NtWaitForSingleObject  (272, 0, 0x0, ...
 02955  1168   NtWaitForSingleObject  ... ) == 0x0
 02971   428   NtSetEventBoostPriority  ... ) == 0x0
 02970  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58110, 0}  ... {28, 56, reply, 0, 1292, 1956, 58110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\324\3\0\0\14\5\0\0t\6\0\0" )  ) == 0x0
 02974   500   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 02972  1132   NtRegisterThreadTerminatePort  ... ) == 0x0
 02975  1168   NtSetEventBoostPriority  (272, ...
 02976   428   NtWaitForSingleObject  (272, 0, 0x0, ...
 02977  1956   NtResumeThread  (980, ...
 02974   500   NtDuplicateObject  ... 984, ) == 0x0
 02954  1096   NtWaitForSingleObject  ... ) == 0x0
 02975  1168   NtSetEventBoostPriority  ... ) == 0x0
 02978  1132   NtWaitForSingleObject  (272, 0, 0x0, ...
 02979  1096   NtSetEventBoostPriority  (272, ...
 02980   500   NtWaitForSingleObject  (272, 0, 0x0, ...
 02977  1956   NtResumeThread  ... 1, ) == 0x0
 02963  1024   NtWaitForSingleObject  ... ) == 0x0
 02979  1096   NtSetEventBoostPriority  ... ) == 0x0
 02981  1024   NtSetEventBoostPriority  (272, ...
 02982  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 02962   252   NtWaitForSingleObject  ... ) == 0x0
 02981  1024   NtSetEventBoostPriority  ... ) == 0x0
 02983  1096   NtWaitForSingleObject  (272, 0, 0x0, ...
 02984   252   NtSetEventBoostPriority  (272, ...
 02982  1956   NtAllocateVirtualMemory  ... 128712704, 1048576, ) == 0x0
 02985  1168   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 02986  1652   NtWaitForSingleObject  (88, 0, 0x0, ...
 02987  1024   NtSetEventBoostPriority  (88, ...
 02961   596   NtWaitForSingleObject  ... ) == 0x0
 02984   252   NtSetEventBoostPriority  ... ) == 0x0
 02988  1956   NtAllocateVirtualMemory  (-1, 129753088, 0, 8192, 4096, 4, ...
 02985  1168   NtWaitForSingleObject  ... ) == 0x102
 02989   596   NtSetEventBoostPriority  (272, ...
 02257   948   NtWaitForSingleObject  ... ) == 0x0
 02987  1024   NtSetEventBoostPriority  ... ) == 0x0
 02990   252   NtWaitForSingleObject  (272, 0, 0x0, ...
 02988  1956   NtAllocateVirtualMemory  ... 129753088, 8192, ) == 0x0
 02967  1344   NtWaitForSingleObject  ... ) == 0x0
 02991   948   NtWaitForSingleObject  (272, 0, 0x0, ...
 02992  1168   NtWaitForSingleObject  (272, 0, 0x0, ...
 02993  1024   NtTestAlert  (...
 02989   596   NtSetEventBoostPriority  ... ) == 0x0
 02994  1956   NtProtectVirtualMemory  (-1, (0x7bbe000), 4096, 260, ...
 02995  1344   NtSetEventBoostPriority  (272, ...
 02993  1024   NtTestAlert  ... ) == 0x0
 02996   596   NtWaitForSingleObject  (136, 0, 0x0, ...
 02973  1300   NtWaitForSingleObject  ... ) == 0x0
 02997  1024   NtContinue  (108789040, 1, ...
 02998  1300   NtSetEventBoostPriority  (272, ...
 02999  1024   NtRegisterThreadTerminatePort  (24, ...
 02976   428   NtWaitForSingleObject  ... ) == 0x0
 02998  1300   NtSetEventBoostPriority  ... ) == 0x0
 02995  1344   NtSetEventBoostPriority  ... ) == 0x0
 02994  1956   NtProtectVirtualMemory  ... (0x7bbe000), 4096, 4, ) == 0x0
 03000   428   NtSetEventBoostPriority  (272, ...
 03001  1300   NtWaitForSingleObject  (272, 0, 0x0, ...
 03002  1344   NtWaitForSingleObject  (272, 0, 0x0, ...
 03003  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02978  1132   NtWaitForSingleObject  ... ) == 0x0
 03003  1956   NtCreateThread  ... 988, {1292, 588}, ) == 0x0
 03004  1132   NtSetEventBoostPriority  (272, ...
 03005  1956   NtQueryInformationThread  (988, Basic, 28, ...
 02980   500   NtWaitForSingleObject  ... ) == 0x0
 03004  1132   NtSetEventBoostPriority  ... ) == 0x0
 03006   500   NtSetEventBoostPriority  (272, ...
 03005  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff47000,Pid=1292,Tid=588,}, 0x0, ) == 0x0
 03000   428   NtSetEventBoostPriority  ... ) == 0x0
 02999  1024   NtRegisterThreadTerminatePort  ... ) == 0x0
 02983  1096   NtWaitForSingleObject  ... ) == 0x0
 03006   500   NtSetEventBoostPriority  ... ) == 0x0
 03007  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58110, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58110, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\14\5\0\0L\2\0\0" ...  ...
 03008   428   NtWaitForSingleObject  (272, 0, 0x0, ...
 03009  1096   NtSetEventBoostPriority  (272, ...
 03010  1024   NtWaitForSingleObject  (272, 0, 0x0, ...
 03011  1132   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03012   500   NtWaitForSingleObject  (272, 0, 0x0, ...
 02991   948   NtWaitForSingleObject  ... ) == 0x0
 03011  1132   NtDuplicateObject  ... 992, ) == 0x0
 03013   948   NtSetEventBoostPriority  (272, ...
 02992  1168   NtWaitForSingleObject  ... ) == 0x0
 03014  1168   NtSetEventBoostPriority  (272, ...
 02990   252   NtWaitForSingleObject  ... ) == 0x0
 03015   252   NtSetEventBoostPriority  (272, ...
 03001  1300   NtWaitForSingleObject  ... ) == 0x0
 03016  1300   NtSetEventBoostPriority  (272, ...
 03002  1344   NtWaitForSingleObject  ... ) == 0x0
 03017  1344   NtSetEventBoostPriority  (272, ...
 03008   428   NtWaitForSingleObject  ... ) == 0x0
 03018   428   NtSetEventBoostPriority  (272, ...
 03010  1024   NtWaitForSingleObject  ... ) == 0x0
 03019  1024   NtSetEventBoostPriority  (272, ...
 03012   500   NtWaitForSingleObject  ... ) == 0x0
 03020   500   NtWaitForSingleObject  (324, 0, 0x0, ...
 03019  1024   NtSetEventBoostPriority  ... ) == 0x0
 03018   428   NtSetEventBoostPriority  ... ) == 0x0
 03017  1344   NtSetEventBoostPriority  ... ) == 0x0
 03016  1300   NtSetEventBoostPriority  ... ) == 0x0
 03014  1168   NtSetEventBoostPriority  ... ) == 0x0
 03013   948   NtSetEventBoostPriority  ... ) == 0x0
 03021  1132   NtWaitForSingleObject  (324, 0, 0x0, ...
 03015   252   NtSetEventBoostPriority  ... ) == 0x0
 03009  1096   NtSetEventBoostPriority  ... ) == 0x0
 03007  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58111, 0}  ... {28, 56, reply, 0, 1292, 1956, 58111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\334\3\0\0\14\5\0\0L\2\0\0" )  ) == 0x0
 03022  1024   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03023   428   NtSetEventBoostPriority  (324, ...
 03024  1344   NtWaitForSingleObject  (324, 0, 0x0, ...
 03025  1300   NtWaitForSingleObject  (324, 0, 0x0, ...
 03026  1168   NtWaitForSingleObject  (136, 0, 0x0, ...
 03027   252   NtWaitForSingleObject  (324, 0, 0x0, ...
 03028  1096   NtWaitForSingleObject  (324, 0, 0x0, ...
 03029  1956   NtResumeThread  (988, ...
 03022  1024   NtDuplicateObject  ... 996, ) == 0x0
 03020   500   NtWaitForSingleObject  ... ) == 0x0
 03023   428   NtSetEventBoostPriority  ... ) == 0x0
 03029  1956   NtResumeThread  ... 1, ) == 0x0
 03030   500   NtSetEventBoostPriority  (324, ...
 03031  1024   NtWaitForSingleObject  (324, 0, 0x0, ...
 03032   428   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03021  1132   NtWaitForSingleObject  ... ) == 0x0
 03030   500   NtSetEventBoostPriority  ... ) == 0x0
 03033  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03034  1132   NtSetEventBoostPriority  (324, ...
 03032   428   NtWaitForSingleObject  ... ) == 0x102
 03035   948   NtSetEventBoostPriority  (88, ...
 03036   588   NtWaitForSingleObject  (88, 0, 0x0, ...
 03024  1344   NtWaitForSingleObject  ... ) == 0x0
 03034  1132   NtSetEventBoostPriority  ... ) == 0x0
 03033  1956   NtAllocateVirtualMemory  ... 129761280, 1048576, ) == 0x0
 03037   428   NtWaitForSingleObject  (136, 0, 0x0, ...
 02266  1388   NtWaitForSingleObject  ... ) == 0x0
 03035   948   NtSetEventBoostPriority  ... ) == 0x0
 03038  1344   NtSetEventBoostPriority  (324, ...
 03039   500   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03040  1132   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03041  1956   NtAllocateVirtualMemory  (-1, 130801664, 0, 8192, 4096, 4, ...
 03042  1388   NtSetEventBoostPriority  (88, ...
 03025  1300   NtWaitForSingleObject  ... ) == 0x0
 03038  1344   NtSetEventBoostPriority  ... ) == 0x0
 03043   948   NtTestAlert  (...
 03039   500   NtWaitForSingleObject  ... ) == 0x102
 03040  1132   NtWaitForSingleObject  ... ) == 0x102
 02273   520   NtWaitForSingleObject  ... ) == 0x0
 03044  1300   NtSetEventBoostPriority  (324, ...
 03042  1388   NtSetEventBoostPriority  ... ) == 0x0
 03041  1956   NtAllocateVirtualMemory  ... 130801664, 8192, ) == 0x0
 03045  1344   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03043   948   NtTestAlert  ... ) == 0x0
 03046   500   NtWaitForSingleObject  (136, 0, 0x0, ...
 03047   520   NtSetEventBoostPriority  (88, ...
 03027   252   NtWaitForSingleObject  ... ) == 0x0
 03044  1300   NtSetEventBoostPriority  ... ) == 0x0
 03048  1132   NtWaitForSingleObject  (136, 0, 0x0, ...
 03049  1956   NtProtectVirtualMemory  (-1, (0x7cbe000), 4096, 260, ...
 03050  1388   NtTestAlert  (...
 03051   948   NtContinue  (109837616, 1, ...
 02282   276   NtWaitForSingleObject  ... ) == 0x0
 03052   252   NtSetEventBoostPriority  (324, ...
 03047   520   NtSetEventBoostPriority  ... ) == 0x0
 03053  1300   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03049  1956   NtProtectVirtualMemory  ... (0x7cbe000), 4096, 4, ) == 0x0
 03050  1388   NtTestAlert  ... ) == 0x0
 03054   276   NtSetEventBoostPriority  (88, ...
 03028  1096   NtWaitForSingleObject  ... ) == 0x0
 03052   252   NtSetEventBoostPriority  ... ) == 0x0
 03055   948   NtRegisterThreadTerminatePort  (24, ...
 03045  1344   NtWaitForSingleObject  ... ) == 0x102
 03056   520   NtTestAlert  (...
 03057  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 02290   996   NtWaitForSingleObject  ... ) == 0x0
 03058  1096   NtSetEventBoostPriority  (324, ...
 03054   276   NtSetEventBoostPriority  ... ) == 0x0
 03059  1388   NtContinue  (110886192, 1, ...
 03053  1300   NtWaitForSingleObject  ... ) == 0x102
 03060   252   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03061  1344   NtWaitForSingleObject  (136, 0, 0x0, ...
 03056   520   NtTestAlert  ... ) == 0x0
 03062   996   NtSetEventBoostPriority  (88, ...
 03031  1024   NtWaitForSingleObject  ... ) == 0x0
 03058  1096   NtSetEventBoostPriority  ... ) == 0x0
 03057  1956   NtCreateThread  ... 1000, {1292, 440}, ) == 0x0
 03055   948   NtRegisterThreadTerminatePort  ... ) == 0x0
 03063  1388   NtRegisterThreadTerminatePort  (24, ...
 03064  1300   NtWaitForSingleObject  (136, 0, 0x0, ...
 03060   252   NtWaitForSingleObject  ... ) == 0x102
 02295  1856   NtWaitForSingleObject  ... ) == 0x0
 03065  1024   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03062   996   NtSetEventBoostPriority  ... ) == 0x0
 03066   520   NtContinue  (111934768, 1, ...
 03067   276   NtTestAlert  (...
 03068  1096   NtWaitForSingleObject  (64, 0, {0, 0}, ...
 03069   948   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03063  1388   NtRegisterThreadTerminatePort  ... ) == 0x0
 03070  1856   NtSetEventBoostPriority  (88, ...
 03071   252   NtAllocateVirtualMemory  (-1, 1421312, 0, 4096, 4096, 4, ...
 03072  1956   NtQueryInformationThread  (1000, Basic, 28, ...
 03073   520   NtRegisterThreadTerminatePort  (24, ...
 03067   276   NtTestAlert  ... ) == 0x0
 03068  1096   NtWaitForSingleObject  ... ) == 0x102
 03069   948   NtDuplicateObject  ... 1004, ) == 0x0
 02346  1064   NtWaitForSingleObject  ... ) == 0x0
 03070  1856   NtSetEventBoostPriority  ... ) == 0x0
 03074  1388   NtWaitForSingleObject  (272, 0, 0x0, ...
 03071   252   NtAllocateVirtualMemory  ... 1421312, 4096, ) == 0x0
 03072  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff46000,Pid=1292,Tid=440,}, 0x0, ) == 0x0
 03073   520   NtRegisterThreadTerminatePort  ... ) == 0x0
 03075   276   NtContinue  (112983344, 1, ...
 03076  1096   NtWaitForSingleObject  (272, 0, 0x0, ...
 03077  1064   NtWaitForSingleObject  (272, 0, 0x0, ...
 03078   948   NtWaitForSingleObject  (272, 0, 0x0, ...
 03079   996   NtTestAlert  (...
 03065  1024   NtWaitForSingleObject  ... ) == 0x102
 03080  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 03081   252   NtSetEventBoostPriority  (272, ...
 03082  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58111, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58111, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\14\5\0\0\270\1\0\0" ...  ...
 03083   520   NtWaitForSingleObject  (272, 0, 0x0, ...
 03084   276   NtRegisterThreadTerminatePort  (24, ...
 03079   996   NtTestAlert  ... ) == 0x0
 03085  1024   NtWaitForSingleObject  (272, 0, 0x0, ...
 03082  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58112, 0}  ... {28, 56, reply, 0, 1292, 1956, 58112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\350\3\0\0\14\5\0\0\270\1\0\0" )  ) == 0x0
 03077  1064   NtWaitForSingleObject  ... ) == 0x0
 03081   252   NtSetEventBoostPriority  ... ) == 0x0
 03084   276   NtRegisterThreadTerminatePort  ... ) == 0x0
 03086   996   NtContinue  (114031920, 1, ...
 03087  1064   NtSetEventBoostPriority  (272, ...
 03088  1956   NtResumeThread  (1000, ...
 03089   252   NtWaitForSingleObject  (136, 0, 0x0, ...
 03090   276   NtWaitForSingleObject  (272, 0, 0x0, ...
 03076  1096   NtWaitForSingleObject  ... ) == 0x0
 03087  1064   NtSetEventBoostPriority  ... ) == 0x0
 03091   996   NtRegisterThreadTerminatePort  (24, ...
 03088  1956   NtResumeThread  ... 1, ) == 0x0
 03092  1096   NtSetEventBoostPriority  (272, ...
 03093   440   NtWaitForSingleObject  (88, 0, 0x0, ...
 03091   996   NtRegisterThreadTerminatePort  ... ) == 0x0
 03078   948   NtWaitForSingleObject  ... ) == 0x0
 03092  1096   NtSetEventBoostPriority  ... ) == 0x0
 03094  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03095   948   NtSetEventBoostPriority  (272, ...
 03096   996   NtWaitForSingleObject  (272, 0, 0x0, ...
 03097  1064   NtSetEventBoostPriority  (88, ...
 03080  1856   NtWaitForSingleObject  ... ) == 0x0
 03095   948   NtSetEventBoostPriority  ... ) == 0x0
 03094  1956   NtAllocateVirtualMemory  ... 130809856, 1048576, ) == 0x0
 03098  1096   NtWaitForSingleObject  (136, 0, 0x0, ...
 03099  1856   NtSetEventBoostPriority  (272, ...
 02401  1600   NtWaitForSingleObject  ... ) == 0x0
 03097  1064   NtSetEventBoostPriority  ... ) == 0x0
 03100  1956   NtAllocateVirtualMemory  (-1, 131850240, 0, 8192, 4096, 4, ...
 03074  1388   NtWaitForSingleObject  ... ) == 0x0
 03101  1600   NtWaitForSingleObject  (272, 0, 0x0, ...
 03099  1856   NtSetEventBoostPriority  ... ) == 0x0
 03102  1064   NtTestAlert  (...
 03103  1388   NtSetEventBoostPriority  (272, ...
 03100  1956   NtAllocateVirtualMemory  ... 131850240, 8192, ) == 0x0
 03104  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 03085  1024   NtWaitForSingleObject  ... ) == 0x0
 03102  1064   NtTestAlert  ... ) == 0x0
 03105  1956   NtProtectVirtualMemory  (-1, (0x7dbe000), 4096, 260, ...
 03103  1388   NtSetEventBoostPriority  ... ) == 0x0
 03106   948   NtWaitForSingleObject  (272, 0, 0x0, ...
 03107  1024   NtSetEventBoostPriority  (272, ...
 03108  1064   NtContinue  (115080496, 1, ...
 03109  1388   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03083   520   NtWaitForSingleObject  ... ) == 0x0
 03107  1024   NtSetEventBoostPriority  ... ) == 0x0
 03110  1064   NtRegisterThreadTerminatePort  (24, ...
 03111   520   NtSetEventBoostPriority  (272, ...
 03109  1388   NtDuplicateObject  ... 1008, ) == 0x0
 03105  1956   NtProtectVirtualMemory  ... (0x7dbe000), 4096, 4, ) == 0x0
 03112  1024   NtWaitForSingleObject  (136, 0, 0x0, ...
 03090   276   NtWaitForSingleObject  ... ) == 0x0
 03111   520   NtSetEventBoostPriority  ... ) == 0x0
 03110  1064   NtRegisterThreadTerminatePort  ... ) == 0x0
 03113  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03114   276   NtSetEventBoostPriority  (272, ...
 03115   520   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03116  1064   NtWaitForSingleObject  (272, 0, 0x0, ...
 03113  1956   NtCreateThread  ... 1012, {1292, 1296}, ) == 0x0
 03096   996   NtWaitForSingleObject  ... ) == 0x0
 03115   520   NtDuplicateObject  ... 1016, ) == 0x0
 03117  1956   NtQueryInformationThread  (1012, Basic, 28, ...
 03118   996   NtSetEventBoostPriority  (272, ...
 03114   276   NtSetEventBoostPriority  ... ) == 0x0
 03119  1388   NtWaitForSingleObject  (272, 0, 0x0, ...
 03117  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff45000,Pid=1292,Tid=1296,}, 0x0, ) == 0x0
 03101  1600   NtWaitForSingleObject  ... ) == 0x0
 03120   276   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03121  1600   NtSetEventBoostPriority  (272, ...
 03122  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58112, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58112, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\14\5\0\0\20\5\0\0" ...  ...
 03104  1856   NtWaitForSingleObject  ... ) == 0x0
 03121  1600   NtSetEventBoostPriority  ... ) == 0x0
 03120   276   NtDuplicateObject  ... 1020, ) == 0x0
 03118   996   NtSetEventBoostPriority  ... ) == 0x0
 03123   520   NtWaitForSingleObject  (272, 0, 0x0, ...
 03124  1856   NtSetEventBoostPriority  (272, ...
 03122  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58113, 0}  ... {28, 56, reply, 0, 1292, 1956, 58113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\364\3\0\0\14\5\0\0\20\5\0\0" )  ) == 0x0
 03125  1600   NtSetEventBoostPriority  (88, ...
 03126   996   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03106   948   NtWaitForSingleObject  ... ) == 0x0
 03127  1956   NtResumeThread  (1012, ...
 02444  1372   NtWaitForSingleObject  ... ) == 0x0
 03125  1600   NtSetEventBoostPriority  ... ) == 0x0
 03126   996   NtDuplicateObject  ... 1024, ) == 0x0
 03128   948   NtSetEventBoostPriority  (272, ...
 03129  1372   NtWaitForSingleObject  (272, 0, 0x0, ...
 03127  1956   NtResumeThread  ... 1, ) == 0x0
 03130  1600   NtTestAlert  (...
 03124  1856   NtSetEventBoostPriority  ... ) == 0x0
 03131   276   NtWaitForSingleObject  (272, 0, 0x0, ...
 03132  1296   NtWaitForSingleObject  (88, 0, 0x0, ...
 03116  1064   NtWaitForSingleObject  ... ) == 0x0
 03128   948   NtSetEventBoostPriority  ... ) == 0x0
 03133  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03130  1600   NtTestAlert  ... ) == 0x0
 03134  1856   NtWaitForSingleObject  (272, 0, 0x0, ...
 03135  1064   NtSetEventBoostPriority  (272, ...
 03136   948   NtWaitForSingleObject  (272, 0, 0x0, ...
 03133  1956   NtAllocateVirtualMemory  ... 131858432, 1048576, ) == 0x0
 03137  1600   NtContinue  (116129072, 1, ...
 03119  1388   NtWaitForSingleObject  ... ) == 0x0
 03135  1064   NtSetEventBoostPriority  ... ) == 0x0
 03138   996   NtWaitForSingleObject  (272, 0, 0x0, ...
 03139  1388   NtSetEventBoostPriority  (272, ...
 03140  1600   NtRegisterThreadTerminatePort  (24, ...
 03141  1956   NtAllocateVirtualMemory  (-1, 132898816, 0, 8192, 4096, 4, ...
 03123   520   NtWaitForSingleObject  ... ) == 0x0
 03139  1388   NtSetEventBoostPriority  ... ) == 0x0
 03142  1064   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03143   520   NtSetEventBoostPriority  (272, ...
 03141  1956   NtAllocateVirtualMemory  ... 132898816, 8192, ) == 0x0
 03144  1388   NtWaitForSingleObject  (272, 0, 0x0, ...
 03129  1372   NtWaitForSingleObject  ... ) == 0x0
 03143   520   NtSetEventBoostPriority  ... ) == 0x0
 03142  1064   NtDuplicateObject  ... 1028, ) == 0x0
 03145  1956   NtProtectVirtualMemory  (-1, (0x7ebe000), 4096, 260, ...
 03140  1600   NtRegisterThreadTerminatePort  ... ) == 0x0
 03146  1372   NtSetEventBoostPriority  (272, ...
 03147   520   NtWaitForSingleObject  (272, 0, 0x0, ...
 03148  1064   NtWaitForSingleObject  (272, 0, 0x0, ...
 03145  1956   NtProtectVirtualMemory  ... (0x7ebe000), 4096, 4, ) == 0x0
 03131   276   NtWaitForSingleObject  ... ) == 0x0
 03146  1372   NtSetEventBoostPriority  ... ) == 0x0
 03149  1600   NtWaitForSingleObject  (272, 0, 0x0, ...
 03150   276   NtSetEventBoostPriority  (272, ...
 03151  1956   NtCreateThread  (0x1f03ff, 0x0, -1, 1243956, 1243900, 1, ...
 03134  1856   NtWaitForSingleObject  ... ) == 0x0
 03150   276   NtSetEventBoostPriority  ... ) == 0x0
 03152  1856   NtSetEventBoostPriority  (272, ...
 03151  1956   NtCreateThread  ... 1032, {1292, 1612}, ) == 0x0
 03136   948   NtWaitForSingleObject  ... ) == 0x0
 03152  1856   NtSetEventBoostPriority  ... ) == 0x0
 03153   276   NtWaitForSingleObject  (272, 0, 0x0, ...
 03154  1372   NtSetEventBoostPriority  (88, ...
 03155   948   NtSetEventBoostPriority  (272, ...
 03156  1956   NtQueryInformationThread  (1032, Basic, 28, ...
 03157  1856   NtWaitForSingleObject  (88, 0, 0x0, ...
 03138   996   NtWaitForSingleObject  ... ) == 0x0
 02490  2040   NtWaitForSingleObject  ... ) == 0x0
 03154  1372   NtSetEventBoostPriority  ... ) == 0x0
 03156  1956   NtQueryInformationThread  ... {ExitStatus=0x103,TebBaseAddress=0x7ff44000,Pid=1292,Tid=1612,}, 0x0, ) == 0x0
 03158  2040   NtWaitForSingleObject  (272, 0, 0x0, ...
 03159   996   NtSetEventBoostPriority  (272, ...
 03160  1372   NtTestAlert  (...
 03161  1956   NtRequestWaitReplyPort  (24, {28, 56, new_msg, 0, 1292, 1956, 58113, 0}  (24, {28, 56, new_msg, 0, 1292, 1956, 58113, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\14\5\0\0L\6\0\0" ...  ...
 03144  1388   NtWaitForSingleObject  ... ) == 0x0
 03159   996   NtSetEventBoostPriority  ... ) == 0x0
 03160  1372   NtTestAlert  ... ) == 0x0
 03162  1388   NtSetEventBoostPriority  (272, ...
 03161  1956   NtRequestWaitReplyPort  ... {28, 56, reply, 0, 1292, 1956, 58114, 0}  ... {28, 56, reply, 0, 1292, 1956, 58114, 0} "\0\0\0\0\1\0\1\0\0\0\0\0DEFG\10\4\0\0\14\5\0\0L\6\0\0" )  ) == 0x0
 03163   996   NtWaitForSingleObject  (272, 0, 0x0, ...
 03148  1064   NtWaitForSingleObject  ... ) == 0x0
 03164  1372   NtContinue  (117177648, 1, ...
 03165  1956   NtResumeThread  (1032, ...
 03162  1388   NtSetEventBoostPriority  ... ) == 0x0
 03155   948   NtSetEventBoostPriority  ... ) == 0x0
 03166  1064   NtSetEventBoostPriority  (272, ...
 03167  1372   NtRegisterThreadTerminatePort  (24, ...
 03168  1388   NtWaitForSingleObject  (272, 0, 0x0, ...
 03169   948   NtWaitForSingleObject  (324, 0, 0x0, ...
 03147   520   NtWaitForSingleObject  ... ) == 0x0
 03166  1064   NtSetEventBoostPriority  ... ) == 0x0
 03165  1956   NtResumeThread  ... 1, ) == 0x0
 03170   520   NtSetEventBoostPriority  (272, ...
 03167  1372   NtRegisterThreadTerminatePort  ... ) == 0x0
 03171  1612   NtWaitForSingleObject  (88, 0, 0x0, ...
 03149  1600   NtWaitForSingleObject  ... ) == 0x0
 03172  1956   NtAllocateVirtualMemory  (-1, 0, 0, 1048576, 8192, 4, ...
 03173  1372   NtWaitForSingleObject  (272, 0, 0x0, ...
 03174  1600   NtSetEventBoostPriority  (272, ...
 03172  1956   NtAllocateVirtualMemory  ... 132907008, 1048576, ) == 0x0
 03158  2040   NtWaitForSingleObject  ... ) == 0x0
 03174  1600   NtSetEventBoostPriority  ... ) == 0x0
 03175  2040   NtSetEventBoostPriority  (272, ...
 03176  1956   NtAllocateVirtualMemory  (-1, 133947392, 0, 8192, 4096, 4, ...
 03170   520   NtSetEventBoostPriority  ... ) == 0x0
 03177  1064   NtWaitForSingleObject  (272, 0, 0x0, ...
 03153   276   NtWaitForSingleObject  ... ) == 0x0
 03175  2040   NtSetEventBoostPriority  ... ) == 0x0
 03176  1956   NtAllocateVirtualMemory  ... 133947392, 8192, ) == 0x0
 03178   520   NtWaitForSingleObject  (272, 0, 0x0, ...
 03179   276   NtSetEventBoostPriority  (272, ...
 03180  1600   NtDuplicateObject  (-1, -2, -1, 0x0, 0, 2, ...
 03181  1956   NtProtectVirtualMemory  (-1, (0x7fbe000), 4096, 260, ...
 03163   996   NtWaitForSingleObject  ... ) == 0x0
 03180  1600   NtDuplicateObject  ... 1036, ) == 0x0
 03179   276   NtSetEventBoostPriority  ... ) == 0x0
 03182  2040   NtSetEventBoostPriority  (88, ...
 03183   996   NtSetEventBoostPriority  (272, ...
 03184  1600   NtWaitForSingleObject  (272, 0, 0x0, ...
NtCallbackReturn(>)	1	NtOpenProcessTokenEx(>)	2	NtQueryInformationFile(>)	7	NtFlushInstructionCache(>)	43
NtGdiCreateBitmap(>)	1	NtOpenThreadTokenEx(>)	2	NtUnmapViewOfSection(>)	7	NtCreateEvent(>)	53
NtGdiInit(>)	1	NtQueryDefaultLocale(>)	2	NtQueryInformationProcess(>)	8	NtOpenKey(>)	104
NtGdiQueryFontAssocInfo(>)	1	NtQueryPerformanceCounter(>)	2	NtQueryVirtualMemory(>)	9	NtContinue(>)	105
NtGdiSelectBitmap(>)	1	NtQuerySystemTime(>)	2	NtSetInformationFile(>)	9	NtQuerySystemInformation(>)	114
NtOpenKeyedEvent(>)	1	NtReadFile(>)	2	NtSetInformationThread(>)	9	NtQueryInformationThread(>)	165
NtOpenSymbolicLinkObject(>)	1	NtSetInformationObject(>)	2	NtUserFindExistingCursorIcon(>)	9	NtResumeThread(>)	168
NtQueryObject(>)	1	NtFreeVirtualMemory(>)	3	NtOpenThreadToken(>)	10	NtCreateThread(>)	169
NtQuerySymbolicLinkObject(>)	1	NtGdiCreateCompatibleDC(>)	3	NtQuerySection(>)	12	NtClose(>)	175
NtRaiseException(>)	1	NtQueryVolumeInformationFile(>)	3	NtUserRegisterClassExWOW(>)	14	NtRequestWaitReplyPort(>)	203
NtSetInformationProcess(>)	1	NtSecureConnectPort(>)	3	NtSetValueKey(>)	16	NtRegisterThreadTerminatePort(>)	204
NtUserCallNoParam(>)	1	NtWriteFile(>)	3	NtCreateKey(>)	18	NtTestAlert(>)	204
NtUserGetThreadDesktop(>)	1	NtCreateIoCompletion(>)	4	NtCreateSection(>)	19	NtDuplicateObject(>)	209
NtCreateMutant(>)	2	NtGdiGetStockObject(>)	5	NtOpenSection(>)	21	NtQueryValueKey(>)	226
NtGdiCreateSolidBrush(>)	2	NtQueryInformationToken(>)	5	NtOpenFile(>)	22	NtProtectVirtualMemory(>)	268
NtNotifyChangeKey(>)	2	NtConnectPort(>)	6	NtQueryAttributesFile(>)	32	NtAllocateVirtualMemory(>)	422
NtOpenDirectoryObject(>)	2	NtCreateFile(>)	7	NtMapViewOfSection(>)	33	NtSetEventBoostPriority(>)	744
NtOpenProcessToken(>)	2	NtFsControlFile(>)	7	NtDeviceIoControlFile(>)	36	NtWaitForSingleObject(>)	1047